The core Snyk product: a vulnerability copilot
Snyk helps developers find vulnerabilities in their code, fix them, and keep track of how things are trending long term. You can think of it as a little code assistant that tells you when code you’ve written isn’t secure and might lead to getting hacked.
You can use Snyk through an unusual number of different acronyms – via CLI, API, UI, CI, and IDE. Let’s look at the IDE experience. A developer writes code in an IDE like Visual Studio Code, and installs Snyk as an extension – it’s the little doberman icon on the left. Once you run an analysis on a particular project, it shows you all the vulnerabilities, how bad they are, and where they’re at.
For each vulnerability, you get a view of what’s wrong with it, and most importantly, suggestions for fixing it. Snyk pulls these suggestions from other projects (open source ones) that have fixed this same vulnerability. As of recently, you can even have Snyk auto-fix things using AI (oooh, aaah).
What is a vulnerability, exactly?
The word “vulnerability” feels like one of those software engineering terms that I heard 100 times before actually understanding what it meant. I knew it had something to do with security, and I knew it was bad. But what is a vulnerability, exactly?
A vulnerability, in the context of software, simply means that something isn’t fully protected from hackers. It’s a glitch, error, weakness, whatever you want to call it that means that an app or a system could get hacked. In the same sense that a city is vulnerable to attack without walls (or in the case of Minas Tirith, even if it does have walls), software is vulnerable to hackers without the proper protections in place. But who are these hackers, and what are they trying to do?
A hacker can be anyone trying to fuck with you and your app, but they’re most likely
some sort of criminal trying to:
- Steal data from you to sell, use as a ransom, or release for political reasons
- Take down your app so people can’t use it
- Steal your money by diverting payments or copying bank account info
- …and other things of this nature
Back to vulnerabilities. There are a bunch of different ways in which hackers actually get into your systems and steal or mess with your application, too many to count and well beyond the scope of this post. To understand Snyk, we want to focus on code vulnerabilities – actual code that’s written in a way such that hackers can exploit it. Let’s run through a few examples.
1) A hacker finds a way to run code on your server
Your application is deployed on a server (or many servers) somewhere. Your server only runs the code that you want it to, the code that you wrote. But if a hacker was able to run their own code on that server, they could get access to things they shouldn’t have access to. If your code isn’t written securely, there are ways for hackers to do just this: SQL injection, Cross-site scripting, and Eval injection are a few examples.
For the curious mind…imagine that you have a form on your site that when the user submits it, issues a SQL query to the . And imagine that said query requires , a username and password inside the query itself. If a hacker can inject their own code into that query, they can change it to something that doesn’t require a password at all, and then have free reign on your database.
2) A hacker steals your credentials
You’ve probably heard of hackers stealing usernames and passwords before, and the same thing can happen to developers. If any credentials to APIs, servers, or any type of developer accounts are accidentally hard-coded into the application, hackers can find those and use them.
3) A hacker sees data they shouldn’t
Many pages in your application are private – e.g. only you should be able to see your own settings page in Gmail. But if you don’t write your code good, hackers may be able to see user data by messing with the URL, sending fake requests to your server, and other things of that nature.
There are countless more to cover, but these are the main ones you need to know. And so with all of this information, and the seemingly endless ways that hackers can take advantage of weaknesses in your code, Snyk is here to save the day.
