This year, Snyk and Cloud Foundry are working together to provide monthly posts focused on helping you stay more secure. We’ll have interviews with people from organizations within the Cloud Foundry community, discussing what they’re doing to manage security. We’ll have articles about specific security risks, and what to do about them. We’ll discuss different tools and processes you can incorporate to reduce your risk of exposure. We’ll have a steady stream of security know-how so that you can reduce the number of unknowns in your own organization and build up your security posture in the process.
The past year was certainly an eventful one for security.
From a negative standpoint, we saw no shortage of miscues. Starting around last Christmas, thousands of sites (Cloud Pets being one of the more notorious examples) were victims of a ransomware attack caused by a simple flaw in the default configuration of MongoDB, a popular open source database. Both the PyPi and NPM registries saw a number of malicious packages “typosquatting” (taking advantage of the human error of mistyping) in their registries. Misconfigured AWS instances led to a number of notable breaches. And of course the massive Equifax breach (caused by an unpatched known vulnerability in an open source component—something we’re seeing more and more of) led to its own flurry of frightening headlines.
But for all the negativity we saw, there were also glimmers of hope. Thanks in no small part to the Let’s Encrypt project, HTTPS became much easier to adopt. As a result, Mozilla saw HTTPS traffic increase from 46 percent to 67 percent. The OWASP Cloud Security Project kicked off, providing critical threat modeling resources for companies using cloud services. Popular developer tools, such as Chrome’s Lighthouse and Microsoft’s Sonarwhal, expanded their security auditing capabilities. We’ve seen it at Snyk as well: more and more companies are starting to prioritize staying on top of known vulnerabilities in open source.
Make no mistake: we have a long way to go. The breaches we’ve seen and the way those companies have responded to these breaches have made that very clear. Companies need to prioritize security throughout their organization if we’re going to turn a corner—and that starts with awareness. Reducing the amount of unknowns goes a long way towards an improved security posture.
At Snyk, we focus on making open source more secure by helping you find, fix and prevent known vulnerabilities in your project’s dependencies. Much like Cloud Foundry focuses on abstracting away infrastructure issues, we focus on making the issue of known vulnerabilities as easy to address as possible so you can focus on building your app.
Of course, staying up to date on your known vulnerabilities are just one of many critical steps in making your applications more secure. In fact there are so many important security considerations that at times it can feel overwhelming.
It can help to remember that the path to improved security isn’t one you can walk overnight. It’s composed of a series of baby steps that make you more secure, layer by layer.
There’s no such thing as “perfect” security, but we can always make it better. This year, together, that’s exactly what we’re going to do.