Leveling Security Up With Snyk
The number nine in OWASP Top 10 Application Security Risks for 2017 is “Using Components with Known Vulnerabilities”.
Intro to snyk
In my team, we take security very seriously so we started to use snyk. Snyk is a tool that helps you find, fix and prevent vulnerabilities in the dependencies that you use in your project.
In a nutshell, snyk CLI has these useful commands:
snyk test — to scan your dependencies for known vulnerabilities.
snyk wizard — goes through each vulnerability found and asks you how to address it (upgrade dependency, patch it or ignore the vulnerability)
snyk protect — will apply the patches and policies that you choose when running snyk wizard.
Integrating snyk into your CI system
If you want to proactively keep your dependencies free from vulnerabilities then you should integrate snyk into your CI system.
The best way to tackle this is to run snyk every time new code is added to your project.
We use Jenkins and GIT.
Every time a developer creates a Pull Request, a Jenkins job that run tests on the PR code is automatically triggered.
So we added a new step to that job to run snyk test.
Before scanning the dependencies you should apply the patches and policies that you put in place when running snyk wizard, otherwise snyk test will fail even if you decided to ignore some vulnerability.
snyk protect will do that for you.
The job fails if vulnerabilities are found in the new code, the same way that it fails if there are failing tests.
Note: In Node.js projects we have snyk installed as part of the projects and snyk commands are executed with yarn. In Java projects you can install snyk globally in the Jenkins server and run the commands directly with snyk cli.
It would be also a good idea to run snyk monitor to keep your dependency list updated in your snyk account. We do that as part of another Jenkins job that is triggered when new code is merged into the master branch.
Node.js VS Java
snyk wizard is only available for Node.js projects so in Java projects you will need to upgrade your dependencies manually.
Moreover, snyk does not provide patches for Java vulnerabilities as opposed to Node.js.
But, if you want to ignore vulnerabilities in your Java project then you can use snyk ignore command for that.
Things to consider when using snyk on existing projects
If you integrate snyk on existing projects, specially on large monolithic projects, you’ll probably find a bunch of vulnerabilities when you run snyk test for the first time.
For Java projects, as I mentioned before, there is no magic wizard that can upgrade your dependencies so you will need to manually check for each vulnerable dependency whether there is a newer version with a fix and then update the pom.xml to use that new version.
But that’s not all. Once you upgrade the dependencies, even if you use Node.JS and you upgraded them with snyk wizard, you will want to do a sanity check on your application. Upgrading dependencies, specially when upgrading to major versions, can be risky and might break your application functionality.
This can be a very challenging and time consuming task that might involve many developers from different teams. But, as Buddha said:
There are only two mistakes one can make along the road to “secured applications”; not going all the way, and not starting.
Now it’s your turn. Install snyk and let’s make the world a bit more secure.
Stay tuned for my upcoming articles!
