TryHackMe | Snyk Code | Write-Up

The Snyk Code room hosted by TryHackMe walks through securing code with Snyk – a junior application security engineer’s journey. More details can be found here: https://tryhackme.com/r/room/snykcode

For readability, I do not include the room’s informational texts for each task.


Introduction

Let’s say hi to Jessica, who will help us!

Answer: none


Jessica is back!

Ready? Let’s get going!

Answer: none


Understanding Code Security Risks

How many dependencies do we have for this new feature?

Answer: 3


Getting Started With Snyk Code

How many vulnerabilities are flagged on the search-feature.js file?

Answer: 4

How many high-severity vulnerabilities are flagged on the search-feature.js file?

Answer: 2

What are the two medium-severity vulnerabilities flagged on the search-feature.js file? (in alphabetical order)

Answer: Cross-Site Request Forgery, Information Exposure


Diving Deeper Into Vulnerabilities

What is the CWE for Cross-site Scripting?

Answer: CWE-79

What is the CWE for SQL injection?

Answer: CWE-89

What is the unsanitised user input in the chat-controller.js file?

Answer: searchTerm


Remediating Vulnerabilities

What is the new vulnerability introduced with the XSS fix?

Answer: Allocation of resources without limits or throttling

Which Express method is used to fix the XSS vulnerability in the code snippet?

Answer: res.render

What is the updated code in the code snippet using to fix the SQL injection?

Answer: parameterised queries


CI/CD Pipelines Automation & Continuous Monitoring

Establishing sensible alert thresholds in continuous monitoring practices involves considering the severity, frequency, and rate of change of vulnerabilities. (y/n)

Answer: y


Establishing Best Practices

Which OWASP framework serves as a guide to strengthen the relationship between development teams and information security teams?

Answer: OWASP Security Shampion Playbook

Well done Jessica, she did it again!

Answer: none


That concludes this room. I haven’t used Snyk before, and even if I never will professionally, I think it is still very useful to know what it can do!