Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Answering your questions about the new State of Software Security report

TJarrett's picture
By Tim Jarrett December 7, 2015  | Research

On December 3, Veracode published a new supplemental State of Software Security Report, Focus on Application Development. As you might have guessed, the report has raised comments and questions – particularly about the security of applications written in different programming languages. There have been some great questions and clarification requests raised both on Twitter and on Slashdot;... READ MORE

Security Headers on the Top 1,000,000 Websites: November 2015 Report

IDawson's picture
By Isaac Dawson November 3, 2015  | Research

It has been over a year since the last analysis on security headers was run. The current state of security header usage will be presented along with a differential analysis of the previous run from October 2014. While no architectural changes to the scanner were made this time, this will be the last run done with this code base.  A new scanner is currently under development to gain more... READ MORE

No One Technology is a Silver Bullet

cwysopal's picture
By Chris Wysopal September 23, 2015  | Research

Can one approach to application security solve all your problems? Of course this is a silly question as anyone who is tasked with reducing the risk of their application layer knows. The only people who ask this question are vendors … who of course have a vested interest in drumming up business for their offerings. This week we’re all treated to watch this spectacle play out in the... READ MORE

AngularJS Expression Security Internals

IDawson's picture
By Isaac Dawson June 25, 2015  | Research

Introduction: As part of my research duties I tasked myself with becoming more familiar with the newer MVC frameworks, the most interesting one was AngularJS. I wanted to share with everyone my process for analyzing the expression functionality built in to AngularJS as I feel it's a pretty interesting and unique code base. AngularJS exposes an expression language that exposes a limited set of... READ MORE

GHOST Highlights How Vulnerable Components Can Haunt an Enterprise

cwysopal's picture
By Chris Wysopal February 2, 2015  | Research

Last week, a security alert was issued disclosing a critical buffer overflow vulnerability on Linux systems. The vulnerability known as GHOST (CVE-2015-0235) impacts applications running on Linux systems using glibc version 2. This is a serious vulnerability because it has a high impact when exploited, and the vulnerability is very widespread, due to the sheer number of public-facing Linux... READ MORE

The Fog of War: How Prevalent Is SQL Injection?

TJarrett's picture
By Tim Jarrett January 23, 2015  | Research

Security statistics are complicated, and there’s a lot of fog of war around some fundamental questions like: how common are SQL Injection flaws? A pair of interesting articles over the last day have illustrated some of the challenges with answering that question. A company called DB Networks announced that it had found an uptick in SQL Injection prevalence in 2014, which had appeared to be... READ MORE

Shellshock – what you need to know

cwysopal's picture
By Chris Wysopal September 25, 2014  | Research

News of the Bash Bug/Shellshock vulnerability is being widely covered since the Ars Technica article published yesterday afternoon.  There is speculation that this bug is going to be more catastrophic than Heartbleed, and like the much publicized OpenSSL vulnerability, we won’t know the full extent of its impact for some time. There are still some major questions to be answered, but... READ MORE

Misfeatures Strike Again

MElliott's picture
By Melissa Elliott September 25, 2014  | Research

Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now twenty-five. From my perspective, bash has... READ MORE

Abstinence Not Required: Protecting Yourself Until the Privacy Utopia Arrives

CEng's picture
By Chris Eng September 3, 2014  | Research

Nude photos of various celebrities were leaked to all corners of the Internet a few short days ago. You already know that by now. Thank you iCloud???? — Kirsten Dunst (@kirstendunst) September 1, 2014 As we wait impatiently for the rest of the gory technical details surrounding the compromise(s), many in the security echo chamber have been debating how we ended up here and whether the... READ MORE

Stop Freaking Out About Facebook Messenger

CEng's picture
By Chris Eng August 12, 2014  | Research

Facebook recently announced that mobile chat functionality would soon require users to install Facebook Messenger. Fueled by the media, many people have been overreacting about the permissions that Messenger requests before taking time to understand what the true privacy implications were. In a nutshell, Messenger is hardly an outlier relative to the other social media apps on your phone. Why the... READ MORE


Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.