Below you will find pages that utilize the taxonomy term “Security”
How to use IAST to prove exploitable vulnerabilities within your first-party code
Enabling a true “shift-left” in software security by empowering DevOps and security teams to work together
In some recent articles I shared how you as a developer can add security to your skillset by using New Relic capabilities. I also dug deeper into ways on how to mitigate hidden security risks of open source software libraries. Both of these blogs focused on third-party code and how it can impact the security of your software applications. In this article I will focus on the security of your own custom code, i.e. the code that you write yourself.
Mitigate the hidden security risks of open source software libraries
Check your source code for any vulnerable libraries and start mitigating these issues
Open source software libraries have become an integral part of modern software development. They are widely used by developers to accelerate the development process and reduce costs. On average, open source libraries make up 70-90% of an entire software application. However, the use of open source libraries also comes with hidden security risks that could potentially harm your organization’s reputation and financial well-being.
Level up your security skillset with New Relic
Not every developer is a security expert, but use these tips to improve your skills
In today’s digital age, security is a major concern for individuals and organizations alike. With the increasing number of cyber-attacks and data breaches, it’s crucial for developers to have a thorough understanding of security best practices. The security of an application is of the utmost importance, as it can directly impact the safety and privacy of users’ data.
Snyk Integration Capabilities with WebHooks - some examples
TL;DR
Integrate your Snyk application security platform by leveraging webhooks into various other external systems such as Microsoft Teams, Azure DevOps Boards, New Relic, DataDog and Splunk.
Here are all the necessary links to get started:
- GitHub Repository: https://github.com/harrykimpel/snyk-webhook-subscription
- Microsoft Teams: https://github.com/harrykimpel/snyk-webhook-subscription/blob/main/azure-function-microsoft-teams.cs
- Azure DevOps Boards: https://github.com/harrykimpel/snyk-webhook-subscription/blob/main/azure-function-azure-boards.cs
- New Relic: https://github.com/harrykimpel/snyk-webhook-subscription/blob/main/azure-function-newrelic.cs
- DataDog: https://github.com/harrykimpel/snyk-webhook-subscription/blob/main/azure-function-datadog.cs
- Splunk: https://github.com/harrykimpel/snyk-webhook-subscription/blob/main/azure-function-splunk.cs
Background
In the past few weeks I have been quite busy in my spare time to think about new ways of integrating the Snyk application security platform with various other systems and especially also observability platforms. These ideas are typically triggered through customer interactions, their questions or requirements. Due to my nature and passion, I typically don’t just think about potential integrations and architectures, but really can’t help but also implement a quick prototype. That is what I am passionate about.
How to send Snyk Vulnerability data to New Relic using Prometheus?
TL;DR
By leveraging a Prometheus Exporter you can send all your application security vulnerabilities from Snyk into New Relic.
Here are all the necessary links to get started:
- Snyk Exporter: https://github.com/lunarway/snyk_exporter
- New Relic Kubernetes integration: https://docs.newrelic.com/docs/infrastructure/prometheus-integrations/get-started/send-prometheus-metric-data-new-relic/
- New Relic Instant Observability Quickstart: https://newrelic.com/instant-observability/?search=snyk
Update (2022-09-22)
The option that I am describing here is just one way to achieve this. There might even be a more straight forward option available that I started to describe in a more recent post. Please find an additional approach in my post Snyk Integration Capabilities with WebHooks - some examples.
Microsoft ASP.NET Security Vulnerability: "padding oracle"
Microsoft has released a security advisory about a vulnerability in ASP.NET. A security patch is already available here.
Below are some details on how the vulnerability works:
“To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.” (quoted from Scott Guthrie’s blog)