Liran Tal Avatar

Liran Tal

Liran TalSnyk

JavaScript frameworks security report 2019

Liran Tal:

In this report, we investigate the state of security for both the Angular and React ecosystems, looking at best practices, secure coding, and security vulnerabilities in React, Angular, and other frontend projects such as Bootstrap, Vue.js, and jQuery. Inside you will find the report in it’s digital format as a PDF to download and review offline.

Liran TalSnyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up.

As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.

Liran TalSnyk

Staying ahead of security vulnerabilities with security patches

Liran Tal:

How do you cope with the issues of libraries having security vulnerabilities but there’s no fix yet? With open source packages this might even be more apparent than ever. Maintainers are rightfully not in any contract to provide you support, yet you rely on third-party software by volunteers.

In this piece I want to show you how we’ve adopted surgical patches to help remove this burden and risk from users.


How to securely build Docker images for Node.js

Liran Tal:

Developers, often lacking insights into the intricacies of Docker, may set out to build their Node.js-based docker images by following naive tutorials which lack good security approaches in how an image is built. One of these nuances is the use of proper permissions when building Docker images.

To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.

0:00 / 0:00