Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Message Digests, aka Hashing Functions

msheth's picture
By Mansi Sheth June 13, 2017  | Research

This is the fourth entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. The third entry taught you how to securely configure basic encryption/decryption primitives. This... READ MORE

Anatomy of a Cross-Site Scripting Flaw in the Telerik Reporting Module

Telerik Reporting Cross-Site Scripting Vulnerability

One of the interesting aspects of working as a Veracode Application Security Consultant is seeing the wide range of code across many business sectors. On an average day, I could look at some COBOL code twice my age in the morning, and by lunch I’m exploring a large .NET MVC app, before transitioning to review a self-deploying microservices package comprised of Java, node.js, and a little PHP for... READ MORE

Encryption and Decryption in Java Cryptography

msheth's picture
By Mansi Sheth April 18, 2017  | Research
Encryption and decryption in Java Cyrptography

This is the third entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms, and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. This entry will teach you how to securely configure basic encryption/decryption primitives. This blog... READ MORE

Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

msheth's picture
By Mansi Sheth March 29, 2017  | Research
Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

Skip to the tl;dr This is the second entry in a blog series on using Java cryptography securely. The first entry provided an overview and covered some architectural details, using stronger algorithms and some debugging tips . This entry covers Cryptographically Secure Pseudo-Random Number Generators. This blog series should serve as a one-stop resource for anyone who needs to implement... READ MORE

How to Get Started Using Java Cryptography Securely

msheth's picture
By Mansi Sheth March 17, 2017  | Research

Skip to the tl;dr Cryptography is the backbone of today's information systems. Its applications are all around us: secure email communications, storage of our login credentials, digital cash and mobile payments, to name just a few. Cryptography is one of the most complicated topics in information security, but the good news is we already have well-defined algorithms, implementations and... READ MORE

Vegas Cons 2016 Wrap Up

tpalarz's picture
By Tom Palarz August 18, 2016  | Research
Defcon 2016 Wrap Up

In my earlier post, I gave my thoughts on what the trends were so far part way through the set of conferences last week (BSidesLV, Blackhat, and DefCon24). In this post, I wrap up my thoughts for the week’s conferences. There were several great talks I missed at BSides this year. Two in particular were ones I’m bummed I missed: one on FOIA requests [http://sched.co/7a8k] (given... READ MORE

Crypto Fun at Black Hat 2016

tpalarz's picture
By Tom Palarz August 9, 2016  | Research

This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code) GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a... READ MORE

DEF CON 24: Day One

tpalarz's picture
By Tom Palarz August 8, 2016  | Research

DEF CON is at a new venue since my last visit (two years ago), and I have to give props to the conference staff for all the hard work they’ve put in. Lines to get to talks and villages are still incredibly long as ever, and make it hard to justify the time to wait and missing out on something else. Some trends I’m noticing so far: The car hacking industry is maturing a bit with... READ MORE

Answering your questions about the new State of Software Security report

TJarrett's picture
By Tim Jarrett December 7, 2015  | Research

state-of-software-security-focus-on-application-development-1.jpg On December 3, Veracode published a new supplemental State of Software Security Report, Focus on Application Development. As you might have guessed, the report has raised comments and questions – particularly about the security of applications written in different programming languages. There have been some... READ MORE

Security Headers on the Top 1,000,000 Websites: November 2015 Report

IDawson's picture
By Isaac Dawson November 3, 2015  | Research

It has been over a year since the last analysis on security headers was run. The current state of security header usage will be presented along with a differential analysis of the previous run from October 2014. While no architectural changes to the scanner were made this time, this will be the last run done with this code base.  A new scanner is currently under development to gain more... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu