With all the doom and gloom surrounding the endless stream of data breaches, it’s sometimes easy to feel pessimistic about the future state of the AppSec industry. I should know, being British, my default psyche is that the glass is always half empty, not half full. But for me, AppSec is different…

There's a lot being discussed these days about secure DevOps. What does it mean to do continuous integration and deployment in a secure way? Is it about securing the pipeline itself? Or, is there more to it than that? We have your back. There are just three basic steps to DevSecOps. 1) Build…

Earlier this week, SourceClear researchers wrote a technical analysis showing how they used our Security Graph Language (SGL) to uncover 23 vulnerabilities in GlassFish Open Source Edition. And while I’m certainly proud of our ability to find vulnerabilities that no one else sees, there is a much…

In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last…

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability…

There are at least six types of open-source library vulnerabilities that we should all be concerned about. Before describing them it is worth reiterating that simply linking to a vulnerable library in your project doesn’t mean your application will have a vulnerability. You will only have a…