Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Security and Development Agree, Coordinated Disclosures Are a Public Service

lpaine's picture
By Laura Paine September 18, 2019
Coordinating vulnerability disclosure

Shifting security left so that security testing becomes an integrated part of the development process helps companies improve software security. With software running our world, it is important to empower developers with the tools and processes they need to make security a part of their overall development process. Yet, even with a robust AppSec program that makes security a part of the... READ MORE

Discovering Malicious Packages Published on npm

mang's picture
By Ming Yi Ang September 4, 2019
Veracode discovers 17 malicious packages on npm

Sightings of malicious packages on popular open source repositories (such as npm and RubyGems) have become increasingly common: just this year, there have been several reported incidents. This method of attack is frighteningly effective given the widespread reach of popular packages, so we've started looking into ways to discover malicious packages to hopefully preempt such threats. The problem... READ MORE

Veracode Is Named a Leader for Sixth Time in Gartner Magic Quadrant for Application Security Testing

pdaly's picture
By Pete Daly April 23, 2019  | Managing AppSec

Veracode has been named a Leader in the Gartner Inc. 2019 Magic Quadrant for Application Security Testing, marking our sixth year as a Leader. We’re excited to again be recognized as a Leader in the industry. We believe Gartner continues to place Veracode in this position because of our vision in application security testing and our ability to cover the entire software development lifecycle (SDLC... READ MORE

Exploiting Spring Boot Actuators

mstepankin's picture
By Michael Stepankin February 25, 2019
exploiting spring boot actuators

This post was updated May 1, 2019 The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured. When a Spring Boot application is running, it automatically registers... READ MORE

Veracode included in new Forrester Now Tech: Software Composition Analysis, Q1 2019

pdaly's picture
By Pete Daly February 19, 2019  | Research

Vulnerable components in software lurk everywhere. At the same time, business competitiveness hinges on the speed and quality of software delivery. So, how does an enterprise not only keep up with application security, but also thrive despite the threats posed by risks in their software? A software composition analysis (SCA) solution can help organizations identify known vulnerabilities from open... READ MORE

Unchecked open source components introducing more risk to businesses

pdaly's picture
By Pete Daly January 31, 2019  | Research

At Veracode, we’ve been the first and the loudest in proclaiming that companies need to be vigilant in how they use open source components in their software. Our research shows that open source components are used with increasing regularity in the enterprise. The State of Software Security Volume 9 report, which examined 700,000 scans over 12 months, found that 87.5 percent of Java applications... READ MORE

Exploiting JNDI Injections in Java

mstepankin's picture
By Michael Stepankin January 3, 2019
JNDI injections in Java

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS). In other words, JNDI is a... READ MORE

State of Software Security Volume 9: Top 5 Takeaways for CISOs

sciccone's picture
By Suzanne Ciccone October 30, 2018
SOSS v9 key takeaways for security pros

We’ve just released the 9th volume of our State of Software Security report and, as always, it’s a treasure trove of valuable security insights. This year’s report analyzes our scans of more than 2 trillion lines of code, all performed over a 12-month period between April 1, 2017 and April 30, 2018. The data reveals a clear picture of both the security of code organizations are producing today,... READ MORE

SOSS Volume 9 reveals how DevSecOps can overcome the volume and persistence of software flaws

jlavery's picture
By Jessica Lavery October 24, 2018  | Research

Fall is a favorite season for many – in New England, we have beautiful colors and a chill in the air.  At Veracode, fall is our favorite season because it signifies the release of our annual State of Software Security (SOSS) report. Each year, we welcome the opportunity to share with the industry our insights into common vulnerabilities found in software and how organizations are measuring... READ MORE

Can DevSecOps Boost Your Bottom Line?

eschuman's picture
By Evan Schuman June 25, 2018
How can AppSec affect your bottom line?

One of the sad truths about security is that it has typically been viewed by enterprise C-level executives as akin to an insurance policy – necessary, but would never produce profits, boost revenue, or attract new customers. But are those long-held perceptions changing? A recent CA study found that they might be. The study found that companies that prioritized security efforts in app development... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 


 

 

contact menu