TryHackMe | Snyk Open Source | Write-Up

June 22, 2024

The Snyk Open Source room hosted by TryHackMe walks through securing open-source dependencies with Snyk – a junior application security engineer’s journey. More details can be found here: https://tryhackme.com/r/room/snykopensource

For readability, I do not include the room’s informational texts for each task.

Table of Contents

Introduction

Let’s start by meeting Jessica!

Answer: none

Meet Jessica

Ready? Let’s get going!

Answer: none

Understanding Open Source Security Risks

Which JSON-formatted manifest file serves as the central hub for Node.js projects, listing metadata, scripts, and dependency declarations?

Answer: package.json

How many dependencies do we have for this new feature?

Answer: 5

Which term describes indirect package dependencies formed through shared prerequisites, possibly concealing vulnerabilities and demanding cautious assessment?

Answer: transitive dependencies

Getting Started with Snyk Open Source

What single authentication mechanism allows users to transition smoothly amongst various linked platforms and services?

Answer: Single Sign-On

Diving Deeper Into Vulnerabilities

What is the version of the vulnerable lodash package?

Answer: 2.4.2

Which vulnerability allows an attacker to modify an Object?

Answer: prototype pollution

Remediating Vulnerabilities

What does CVSS stand for?

Answer: Common Vulnerability Scoring System

Should the development team bulk fix all the vulnerabilities found in this new feature? (y/n)

Answer: n

Automating the Process Through CI/CD Pipelines

How does CircleCI help streamline pipeline configuration and standardisation?

Answer: Orb

What file defines the GitHub Actions workflow configuration that enables automation and customised sequences for building, testing, and deploying?

Answer: YAML

Implementing Continuous Monitoring

Which collaborative DevOps practice combines real-time communication channels, automation, and operational agility?

Answer: ChatOps

Establishing Best Practices

Well done Jessica, she did it!

Answer: none

That concludes this room. I haven’t used Snyk before, and even if I never will professionally, I think it is still very useful to know what it can do!

Michael Weber's Blog

TryHackMe | Snyk Open Source | Write-Up

Introduction

Let’s start by meeting Jessica!

Meet Jessica

Ready? Let’s get going!

Understanding Open Source Security Risks

Which JSON-formatted manifest file serves as the central hub for Node.js projects, listing metadata, scripts, and dependency declarations?

How many dependencies do we have for this new feature?

Which term describes indirect package dependencies formed through shared prerequisites, possibly concealing vulnerabilities and demanding cautious assessment?

Getting Started with Snyk Open Source

What single authentication mechanism allows users to transition smoothly amongst various linked platforms and services?

Diving Deeper Into Vulnerabilities

What is the version of the vulnerable lodash package?

Which vulnerability allows an attacker to modify an Object?

Remediating Vulnerabilities

What does CVSS stand for?

Should the development team bulk fix all the vulnerabilities found in this new feature? (y/n)

Automating the Process Through CI/CD Pipelines

How does CircleCI help streamline pipeline configuration and standardisation?

What file defines the GitHub Actions workflow configuration that enables automation and customised sequences for building, testing, and deploying?

Implementing Continuous Monitoring

Which collaborative DevOps practice combines real-time communication channels, automation, and operational agility?

Establishing Best Practices

Well done Jessica, she did it!

Leave a Reply Cancel reply