Download as PDF, PPTX
![@liran_tal
Application’s Security Risks
Open Source
Libraries
Containers
App Code
IaC
Relying on open source software.
What’s your security and compliance strategy?
100s of Linux packages, and their
vulnerabilities, inherited with base images
#1 cloud vulnerability is misconfiguration [NSA]
Deployed daily - waterfall approach doesn’t
scale. Scans can’t take hours.
10-20% of
codebase
80-90% of
codebase](https://image.slidesharecdn.com/snykintro-developersecurityessentials2022v2-lirantal-221012114133-71109217/75/Snyk-Intro-Developer-Security-Essentials-2022-5-2048.jpg)
![@liran_tal
FROM node
RUN apt-get update
RUN apt-get install -y imagemagick
COPY . /usr/src/goof
WORKDIR /usr/src/goof
RUN npm install
CMD ["npm", "start"]
Big image, many
(vulnerable) libraries?
Containers](https://image.slidesharecdn.com/snykintro-developersecurityessentials2022v2-lirantal-221012114133-71109217/75/Snyk-Intro-Developer-Security-Essentials-2022-20-2048.jpg)
![@liran_tal
FROM node
RUN apt-get update
RUN apt-get install -y imagemagick
COPY . /usr/src/goof
WORKDIR /usr/src/goof
RUN npm install
CMD ["npm", "start"]
Common software
vulnerable?
Containers](https://image.slidesharecdn.com/snykintro-developersecurityessentials2022v2-lirantal-221012114133-71109217/75/Snyk-Intro-Developer-Security-Essentials-2022-22-2048.jpg)
Uploaded byLiran Tal
Snyk Intro - Developer Security Essentials 2022
The document outlines Snyk's approach to developer-centric security, emphasizing the need for practical tools to address vulnerabilities in open-source libraries, containers, and application code. It discusses the importance of integrating security throughout the development process and provides information on various Snyk tools that assist in identifying and fixing security risks. Additionally, it highlights initiatives like Capture The Flag (CTF) competitions to make security education engaging for developers.
In this document
Powered by AI
Introduction of Snyk, a developer-first security tool. Key objectives include understanding application security risks.
Highlighting the significance of developer-first security approach. Discusses various security risks from open source libraries and containers.
Overview of Snyk's platform capabilities: Code, Open Source, Container, and Infrastructure as Code security intelligence.
Deep dive into open source security risks including vulnerabilities in code and supply chain security.
Identifying vulnerabilities in containers, emphasizing the importance of managing libraries in container images.
Functionality of Snyk app in continuously scanning applications for vulnerabilities.
Discussion on security challenges in Infrastructure as Code and identifying common issues in open-source libraries.
Engagement in hacking a Node.js application to understand real-world vulnerabilities.
Shifting to DevSecOps for continuous security integration during the software development lifecycle.
Using Snyk for effective vulnerability scanning, assessment and prioritization in software projects.
CTF as a gamified learning experience for security awareness, with details about the upcoming events.Summary of the importance of securing code and infrastructure, along with resources for further learning.
More Related Content
Similar to Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
- 1.
- 2. Liran Tal @liran_tal Developer Advocate@Snyk Node.js Foundation ecosystem security working group Reach out on Twitter and say hi 👋 OWASP Project Lead GitHub Star
- 3. @liran_tal Introduction to OpenSource Security Meet Snyk: Practical Developer-first Security Tooling Key Learning Objectives Play the Hacker 🎩
- 4. @liran_tal Developer-first Security because that’sthe only sustainable path to application security
- 5. @liran_tal Application’s Security Risks OpenSource Libraries Containers App Code IaC Relying on open source software. What’s your security and compliance strategy? 100s of Linux packages, and their vulnerabilities, inherited with base images #1 cloud vulnerability is misconfiguration [NSA] Deployed daily - waterfall approach doesn’t scale. Scans can’t take hours. 10-20% of codebase 80-90% of codebase
- 6. Snyk Code SnykOpen Source Snyk Container Snyk IaC Empowerment Extensibility Governance Application intelligence Security intelligence Developer Experience Developer Security Platform
- 7.
- 8. @liran_tal App Code exports.admin =function (req, res, next) { User.find( { username: req.body.username, password: req.body.password }, function (err, users) {} );
- 9. @liran_tal App Code exports.admin =function (req, res, next) { User.find( { username: req.body.username, password: req.body.password }, function (err, users) {} ); Security issues in this code?
- 10.
- 11. @liran_tal Open Source Code source:https://snyk.io/open-source-security
- 12. @liran_tal Open Source Code source:https://snyk.io/open-source-security
- 13.
- 14. @liran_tal Open Source Code 80-90%of code-base is open-source 80% of vulnerabilities found in transitive dependencies
- 15. @liran_tal Open Source Code dust.escapeHtml= function(s) { if (typeof s === "string" { if (!HCHARS.test(s)) { return s; } return s.replace(QUOT,'"').replace(SQUOT, '''); } return s; };
- 16. @liran_tal Your App Your Code constmarked = require('marked'); app.locals.marked = marked; Open Source Code
- 17. @liran_tal Open-Source Supply ChainSecurity event-stream 💀 flatmap-stream //2018 Open Source Code
- 18.
- 19.
- 20. @liran_tal FROM node RUN apt-getupdate RUN apt-get install -y imagemagick COPY . /usr/src/goof WORKDIR /usr/src/goof RUN npm install CMD ["npm", "start"] Big image, many (vulnerable) libraries? Containers
- 21.
- 22. @liran_tal FROM node RUN apt-getupdate RUN apt-get install -y imagemagick COPY . /usr/src/goof WORKDIR /usr/src/goof RUN npm install CMD ["npm", "start"] Common software vulnerable? Containers
- 23. @liran_tal Your Node.js AppAttack Surface Just Got Bigger
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31. @liran_tal Open-Source Supply ChainSecurity 💀 electron-native-notify 2019 Open Source Code
- 32. @liran_tal Open-Source Supply ChainSecurity 💀 electron-native-notify 2019 Open Source Code
- 33. @liran_tal Open-Source Supply ChainSecurity Open Source Code source: https://snyk.io/advisor/npm-package/marked
- 34. @liran_tal Breakout 1: Let’s hacka Node.js application!
- 35. @liran_tal An Open SourceLibrary const marked = require('marked'); app.locals.marked = marked; <div class="item"> <a href="/edit/<%= todo._id %>"> <%- marked(new String(todo.content)) %> </a> </div> we will exploit: Let’s hack a Node.js application!
- 36. @liran_tal Container Common Software RUN apt-getupdate RUN apt-get install -y imagemagick we will exploit: An Open Source Library Let’s hack a Node.js application!
- 37. @liran_tal Container Node.js runtime FROMnode we will exploit: Container Common Software An Open Source Library Let’s hack a Node.js application!
- 38. @liran_tal Woohoo That was fun! Whatcan I do about it… ?
- 39. @liran_tal From DevOps ToDevSecOps
- 40. CI/CD Git repository Traditional/PaaS Serverless Production DevSecOps: Continuous Security,Integrated throughout DevOps Registry deploy Security gate Code Test & fix Test, fix, monitor Kubernetes Monitor & more... build submit Test, fix, monitor
- 41.
- 42. @liran_tal Scanning projects Filtering vulnerabilities Snyk OpenSource How to prioritize the noise? Grouped fixes Visualizing a Dependency Tree Self exploration: GitHub Settings & Dep Upgrades
- 43.
- 44. @liran_tal Filters the noise,“take home” with --json Agnostic Snyk CLI Use it as a linter Tip: can run code and container scans too Tip: can scan many ecosystem manifests Tip: ad-hoc scan an npm package@version
- 45. @liran_tal Filters the noise,“take home” with --json Agnostic Snyk CLI Use it as a linter Tip: can run code and container scans too Tip: can scan many ecosystem manifests Tip: ad-hoc scan an npm package@version
- 46.
- 47. @liran_tal SAST Real-time codesecurity Find hard-coded secrets Snyk Code Recommended fixes knowledge-base
- 48. @liran_tal Security Resources ctd’ Howdo you assess a dependency?
- 49.
- 50.
- 52. What is aCTF? Capture the Flag (CTF) is a competition where teams and individuals compete to solve security challenges. ● You win by solving the most challenges the fastest. CTFs gamify security education, making it fun and hands-on. ● Participants often exploit vulnerabilities in webpages or servers to uncover flags.
- 53. Nov 2: CTF 101Workshop — Nov 9: Fetch the Flag CTF
- 54. Let’s Hack! Develop fast. Staysecure. Fix vulns, score points, get the high score
- 55. Supported Languages: ● C# ●Go ● Java ● JavaScript ● PHP ● Python ● Ruby ● TypeScript Ground Rules: ● Must be GitHub ● Must be Public ● Let’s make a REAL difference The Developer Challenge https://nodeconf.snykchallenge.io/
- 56. @liran_tal Takeaways Your infrastructure isjust as vulnerable, take measures to monitor and fix it
- 57. @liran_tal Code Securely! Security cheatsheetsand more resources: https://snyk.io/blog Thank you Snyk liran_tal