Skip to main content

Asankhaya Sharma

Dr. Asankhaya Sharma is the Director of Software Engineering at Veracode. Asankhaya is a cyber security expert and technology leader with over a decade of experience in creating security products for industry, academia and open-source community. He is passionate about building high performing teams and taking innovative products to market. He is also an Adjunct Professor at the Singapore Institute of Technology.

Posts by Asankhaya Sharma
  • Crypto Mining Web App POC
    December 10, 2017
    Crypto Mining Web App POC

    A few months back in a previous post we gave a POC for malware embedded in an enterprise Spring MVC app. Then we got to thinking, what if we pwn3d a web app with malicious code and turned the result into a self-paying crypto-currency miner? You could give the owner of the site the option to either pay the ransom or just let the mining operation complete, at which point their files get decrypted,… READ MORE

Stay up to date on Application Security

  •  Machine Learning at SourceClear

    As you may know, SourceClear has the world’s most complete, accurate, and up-to-date database of verified vulnerabilities in open-source code. But what’s more important is that more than half of the vulnerabilities in our database are not available anywhere else and have no public disclosures. How do we manage to hunt these vulnerabilities from thousands of open-source libraries? Certainly, it… READ MORE

  • Analyzing Apache Struts Vulnerabilities Using SGL

    Recently, a large data breach was disclosed by Equifax that allowed hackers to steal personal information of over 143 million Americans. The underlying issue that was responsible for the breach turned out to be an un-patched open-source Apache Struts component. In this blog post we will discuss about the security issues that have affected Apache Struts recently and the impact they have had. We… READ MORE

  • Towards a better risk score for open source security

    You already know that SourceClear provides robust vulnerability detection to protect your code and your customers. However, when you’re overseeing multiple projects, it can be a challenge to know where to prioritize your resources. Even if you have just one project, you may want to know how that project stacks up against similar projects by other developers. That’s where our new project risk… READ MORE

  • When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

    Unless you have been living under a rock you have heard all about the WannaCry ransomware. At SourceClear, we believe this week's attacks were a preview of what could happen when (not if) ransomware moves from small-value targets (consumer desktops) to large-value targets (enterprise web applications). It's where the big money is. This blog post demonstrates the technical feasibility with a… READ MORE

  • Cutting down on false positives with vulnerable methods for Ruby

    Today we released vulnerable methods support for the Ruby language, adding to the existing support for Java and Python. Vulnerable methods analysis uses call-graph analysis to trace the actual use of the vulnerability in your projects. To understand the impact that vulnerable method support can have, we analyzed the top 1,000 starred Ruby projects on GitHub, and discovered that without vulnerable… READ MORE

  • Abusing npm libraries for data exfiltration

    Package and dependency managers like npm allow command execution as part of the build process. Command execution provides an easy and convenient mechanism for developers to script tasks during the build. For instance, npm allows developers to use pre-install and post-install hooks to execute tasks. A pre-install hook can be used to compile some dependent native library before starting the build.… READ MORE

  • Comparing vulnerable methods with static analysis

    In this blog post, we will talk a bit about traditional static analysis - what it is, what it's used for, and where our vulnerable methods analysis fits in amongst the other kinds of static analysis. Wikipedia tells us: Static program analysis is the analysis of computer software that is performed without actually executing programs Why wouldn't we want to execute a program in order to analyze… READ MORE

  • Fixing Vulnerabilities with Safe Versions

    Last week Vanessa gave a presentation about the security risks associated with using open source libraries at the Null Singapore Meetup. There was a great discussion afterwards talking through different approaches people had for mitigating these risks. Unfortunately, it's a bit more complicated than just updating your project dependencies. Safe Versions When a vulnerability is disclosed,… READ MORE

  • Vulnerable Methods Under the Hood

    Yesterday, Mark Curphey introduced a new feature that we released in our product called Vulnerable Methods. We developed the vulnerable methods technology to provide more accurate and detailed information to our customers when they are using libraries and components in their code that have vulnerabilities. So far, we have seen that in the majority of cases when someone is using a vulnerable… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.