Security wins by starting out with Static Code Analysis for JavaScript projects
Writing quality code is something all of us developers strive for, but it's not an easy task. Secure coding conventions have long been an aspiring goal for many developers, as they scour the web for best practices, and guidelines from OWASP and other resources.
Some developers may have even tried using static code analysis to find security issues, like the use of linters (ESLint), only to find out that they are brittle and report on many false positives.
In this session, we want to show you a new kind of static code analysis for code security that helps you while you code. It's free, and you can get started right away with an IDE extension. It's called Snyk Code.
Snyk Code provides a static application security testing (SAST) solution that scans your proprietary source code. Snyk Code addresses the most prominent issues of traditional SAST solutions by being developer-friendly, fast, and accurate. By “developer-friendly”, we mean that Snyk Code fits directly into your favorite tools and processes. Using the Snyk Code IDE extension for Visual Studio Code or the plugin for IntelliJ, WebStorm or PyCharm, you can see potential security vulnerabilities in your code as you write it.
⏱️ Timestamps ⏱️
⏩ 0:00 Live stream starting
⏩ 1:57 Intro
⏩ 2:54 Agenda
⏩ 5:16 Introducing Lili Kastilio, Technical Services Architect at Snyk
⏩ 8:01 Introducing Lili Kastilio's background and how she got into Snyk and into the web security space
⏩ 11:18 Introducing Lili Kastilio's recent project - Snyk Fix, a feature in collaboration with Snyk product teams that helps users with fixing issues in the Snyk CLI
⏩ 11:44 Introducing Lili Kastilio's prediction for 2021 - monorepos management with rushjs (https://rushjs.io)
⏩ 15:30 Topic agenda: Static Code analysis for JavaScript developers and Lili's Twitter poll
⏩ 18:16 What is SAST? What is Code Secuirty?
⏩ 20:32 Live coding a login handler route on the snyk goof application
⏩ 29:00 Live hacking - revealing the NoSQL injection in our code
⏩ 36:20 Live hacking - exploiting the NoSQL injection in our code
⏩ 41:46 Finding the security vulnerabilities with Snyk CLI scan of Snyk Code and Snyk Open Source
⏩ 44:48 Showing how to use Snyk Code IDE extension to scan and find security vulnerabilities in our code
⏩ 49:51 Showing how to ignore Snyk Code IDE extension findings if they are false positive, like hardcoded secrets in a test file
⏩ 59:24 Continuous Integration usage of static code analysis (Snyk CLI to run snyk code test)
⏩ 55:14 Outro and conclusions
#Snyk #SnykCode #CodeSecurity #SAST #NoSQLInjection #SQLInjection #InjectionAttacks #OWASP
Resources:
1. Snyk Code https://snyk.io/product/snyk-code/
2. Snyk Code is now available for free
https://snyk.io/blog/snyk-code-now-av...
3. Why developer-first SAST tools are the future of code security https://snyk.io/blog/sast-tools/
4. Snyk uncovers supply chain security vulnerabilities in Visual Studio Code extensions
https://snyk.io/blog/vulnerable-visua...
5. Deep dive into Visual Studio Code extension security vulnerabilities https://snyk.io/blog/visual-studio-co...
6. Securing your modern software supply chain https://snyk.io/blog/software-supply-...
7. rush, Rush: a scalable monorepo manager for the web https://rushjs.io
8. Snyk Advisor https://snyk.io/advisor
9. Snyk Goof application: https://github.com/snyk/goof
10. Snyk Fix: https://github.com/snyk/snyk/pull/1707
11. Roma movie suggestion by Lili: https://www.imdb.com/title/tt6155172/
12. Princess Mononoke movie suggestion by Lili: https://www.imdb.com/title/tt0119698/
13. More Ghibli movie suggestion by Lili: https://www.imdb.com/search/title/?co...
📱Social Media📱
___________________________________________
Twitter: / snyksec
Facebook: / snyksec
LinkedIn: / snyk
Website: https://snyk.io
