Appsec Knowledge Base

SHELLSHOCK

The danger of Shellshock to application security.

Shellshock is an application-layer vulnerability in Bash, a widely-used UNIX/Linux program. Shellshock has a severity ranking of 10 – the highest level – on the NVD Common Vulnerability Scoring System Support (CVSS) because of how easy it is to execute and how severely it can damage an organization. Attackers use Shellshock to expose sensitive files, access databases and install malware that can turn a system into a component of a DDoS botnet. The applications that are most vulnerable to a Shellshock attack are public-facing web applications, especially legacy applications that rely on the Bash program.

While Shellshock is fairly easy to remediate in an individual program, most enterprises have thousands of public-facing web applications, including many legacy applications they may not even be aware of. Using traditional testing tools on thousands of applications at once can be highly expensive and time-consuming, but Veracode provides an innovative solution that can help.

Testing for Shellshock with Veracode.

Veracode is a leading provider of automated software testing tools that help protect the software the world depends on.

Veracode’s comprehensive suite of SaaS-based application security solutions include software development tools for testing applications from inception through production, including unit testing tools, static analysis tools, blackbox testing techniques, software composition analysis and more. By employing Veracode’s dev ops tools throughout the SDLC, development teams can find and fix vulnerabilities in software at the point when it is easiest and most cost efficient to do so.

How Veracode helps to protect against Shellshock.

Veracode Web Application Scanning (WAS) provides a highly effective solution for combating Shellshock. Built on a massively parallel, auto-scaling cloud infrastructure, WAS performs scans on thousands of websites and applications in parallel to identify flaws and provide guidance for remediation.

To find Shellshock vulnerabilities, WAIS discovers all the public-facing web applications of an organization, even those that IT has lost track of and applications outside the normal corporate IP range. These may include sites acquired through M&A or temporary sites hosted with cloud service providers. Once these applications and websites have been inventoried, Veracode WAS automatically crawls all pages on a site and probes the surface of web applications to find flaws like the Shellshock vulnerability. This approach to vulnerability scanning is far more thorough and exhaustive than traditional methods which only inject signatures into a few well-known directories.

 

Learn more about Shellshock and Veracode solutions for PCI security.

 

 

contact menu