Skip to main content

Asankhaya Sharma

Dr. Asankhaya Sharma is the Director of Software Engineering at Veracode. Asankhaya is a cyber security expert and technology leader with over a decade of experience in creating security products for industry, academia and open-source community. He is passionate about building high performing teams and taking innovative products to market. He is also an Adjunct Professor at the Singapore Institute of Technology.

Posts by Asankhaya Sharma
  • Crypto Mining Web App POC
    December 10, 2017
    Crypto Mining Web App POC

    A few months back in a previous post we gave a POC for malware embedded in an enterprise Spring MVC app. Then we got to thinking, what if we pwn3d a web app with malicious code and turned the result into a self-paying crypto-currency miner? You could give the owner of the site the option to either pay the ransom or just let the mining operation complete, at which point their files get decrypted,… READ MORE

Stay up to date on Application Security

  •  Machine Learning at SourceClear

    As you may know, SourceClear has the world’s most complete, accurate, and up-to-date database of verified vulnerabilities in open-source code. But what’s more important is that more than half of the vulnerabilities in our database are not available anywhere else and have no public disclosures. How do we manage to hunt these vulnerabilities from thousands of open-source libraries? Certainly, it… READ MORE

  • Analyzing Apache Struts Vulnerabilities Using SGL

    Recently, a large data breach was disclosed by Equifax that allowed hackers to steal personal information of over 143 million Americans. The underlying issue that was responsible for the breach turned out to be an un-patched open-source Apache Struts component. In this blog post we will discuss about the security issues that have affected Apache Struts recently and the impact they have had. We… READ MORE

  • Towards a better risk score for open source security

    You already know that SourceClear provides robust vulnerability detection to protect your code and your customers. However, when you’re overseeing multiple projects, it can be a challenge to know where to prioritize your resources. Even if you have just one project, you may want to know how that project stacks up against similar projects by other developers. That’s where our new project risk… READ MORE

  • When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

    Unless you have been living under a rock you have heard all about the WannaCry ransomware. At SourceClear, we believe this week's attacks were a preview of what could happen when (not if) ransomware moves from small-value targets (consumer desktops) to large-value targets (enterprise web applications). It's where the big money is. This blog post demonstrates the technical feasibility with a… READ MORE

  • Abusing npm libraries for data exfiltration

    Package and dependency managers like npm allow command execution as part of the build process. Command execution provides an easy and convenient mechanism for developers to script tasks during the build. For instance, npm allows developers to use pre-install and post-install hooks to execute tasks. A pre-install hook can be used to compile some dependent native library before starting the build.… READ MORE

  • Fixing Vulnerabilities with Safe Versions

    Last week Vanessa gave a presentation about the security risks associated with using open source libraries at the Null Singapore Meetup. There was a great discussion afterwards talking through different approaches people had for mitigating these risks. Unfortunately, it's a bit more complicated than just updating your project dependencies. Safe Versions When a vulnerability is disclosed,… READ MORE

  • Amazon AWS Java SDK Vulnerability Disclosure

    Last week, we disclosed a CSRF-style vulnerability in Spring Social Core to Pivotal. Today, we will talk about a denial of service vulnerability in the Amazon AWS SDK for Java. This official AWS SDK is used by Java developers to integrate with various AWS services including interaction with the Amazon APIs for storing and retrieving files from S3 buckets. The releases 1.8.0 to 1.10.34 of the AWS… READ MORE

  • Practical tips for implementing grammar-based test case generation

    In this article, we will examine some practical tips to keep in mind while implementing grammar-based test case generation. These guidelines are based on the experience of implementing Gramtest - a Java tool that allows you to generate test cases based on arbitrary user defined grammars. Let's jump right in on how we implemented Gramtest. #Implementation The key aspect of the grammar-based… READ MORE

  • How does grammar-based test case generation work?

    In a series of previous articles, we learnt about automated unit test generation using search-based and property-based methods. We also looked at Pathgrind, a tool for dynamic symbolic execution that can be used for automated fuzzing of binaries. Continuing on the same theme, in this article we will look at how grammar-based test case generation works in practice. We also present a new tool -… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.