Caleb Fenton

Posts by Caleb Fenton

Commons Collections Deserialization Vulnerability Research Findings

December 1, 2015

A few weeks ago, I wrote about the recent Apache Commons Collections deserialization vulnerability in Let’s Calm Down About Apache Commons Collections. I said we were going to look into finding other libraries that were also vulnerable. In this post, I publish the findings and conclusions. Then I geek-out by excitedly describing plans and ideas for future research. Research Method The original... READ MORE

Let’s Calm Down About Apache Commons Collections

November 17, 2015

On November 6th, 2015, a blog post was published with the title "What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability". The post describes how several popular applications are exploitable via a Java deserialization vulnerability discovered by two security researchers, Gabriel Lawrence and Chris Frohoff. The vulnerability involves combining... READ MORE

HTTP Security Headers in Plain English

November 3, 2015

Understanding and configuring HTTP security settings can be confusing. There are lots of guides that serve as great technical references for all the different settings, but the purpose of this post is to explain what we have learned implementing a security policy by explaining the various security settings in a simple way. This will also be the first post discussing our Security Headers and CSP... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.