TryHackMe | Snyk Open Source | Write-Up

The Snyk Open Source room hosted by TryHackMe walks through securing open-source dependencies with Snyk – a junior application security engineer’s journey. More details can be found here:

For readability, I do not include the room’s informational texts for each task.


Let’s start by meeting Jessica!

Answer: none

Meet Jessica

Ready? Let’s get going!

Answer: none

Understanding Open Source Security Risks

Which JSON-formatted manifest file serves as the central hub for Node.js projects, listing metadata, scripts, and dependency declarations?

Answer: package.json

How many dependencies do we have for this new feature?

Answer: 5

Which term describes indirect package dependencies formed through shared prerequisites, possibly concealing vulnerabilities and demanding cautious assessment?

Answer: transitive dependencies

Getting Started with Snyk Open Source

What single authentication mechanism allows users to transition smoothly amongst various linked platforms and services?

Answer: Single Sign-On

Diving Deeper Into Vulnerabilities

What is the version of the vulnerable lodash package?

Answer: 2.4.2

Which vulnerability allows an attacker to modify an Object?

Answer: prototype pollution

Remediating Vulnerabilities

What does CVSS stand for?

Answer: Common Vulnerability Scoring System

Should the development team bulk fix all the vulnerabilities found in this new feature? (y/n)

Answer: n

Automating the Process Through CI/CD Pipelines

How does CircleCI help streamline pipeline configuration and standardisation?

Answer: Orb

What file defines the GitHub Actions workflow configuration that enables automation and customised sequences for building, testing, and deploying?

Answer: YAML

Implementing Continuous Monitoring

Which collaborative DevOps practice combines real-time communication channels, automation, and operational agility?

Answer: ChatOps

Establishing Best Practices

Well done Jessica, she did it!

Answer: none

That concludes this room. I haven’t used Snyk before, and even if I never will professionally, I think it is still very useful to know what it can do!