Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Vegas Cons 2016 Wrap Up

tpalarz's picture
By Tom Palarz August 18, 2016  | Research
Defcon 2016 Wrap Up

In my earlier post, I gave my thoughts on what the trends were so far part way through the set of conferences last week (BSidesLV, Blackhat, and DefCon24). In this post, I wrap up my thoughts for the week’s conferences. There were several great talks I missed at BSides this year. Two in particular were ones I’m bummed I missed: one on FOIA requests [http://sched.co/7a8k] (given... READ MORE

Crypto Fun at Black Hat 2016

tpalarz's picture
By Tom Palarz August 9, 2016  | Research

This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code) GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a... READ MORE

DEF CON 24: Day One

tpalarz's picture
By Tom Palarz August 8, 2016  | Research

DEF CON is at a new venue since my last visit (two years ago), and I have to give props to the conference staff for all the hard work they’ve put in. Lines to get to talks and villages are still incredibly long as ever, and make it hard to justify the time to wait and missing out on something else. Some trends I’m noticing so far: The car hacking industry is maturing a bit with... READ MORE

Answering your questions about the new State of Software Security report

TJarrett's picture
By Tim Jarrett December 7, 2015  | Research

On December 3, Veracode published a new supplemental State of Software Security Report, Focus on Application Development. As you might have guessed, the report has raised comments and questions – particularly about the security of applications written in different programming languages. There have been some great questions and clarification requests raised both on Twitter and on Slashdot;... READ MORE

Security Headers on the Top 1,000,000 Websites: November 2015 Report

IDawson's picture
By Isaac Dawson November 3, 2015  | Research

It has been over a year since the last analysis on security headers was run. The current state of security header usage will be presented along with a differential analysis of the previous run from October 2014. While no architectural changes to the scanner were made this time, this will be the last run done with this code base.  A new scanner is currently under development to gain more... READ MORE

No One Technology is a Silver Bullet

cwysopal's picture
By Chris Wysopal September 23, 2015  | Research

Can one approach to application security solve all your problems? Of course this is a silly question as anyone who is tasked with reducing the risk of their application layer knows. The only people who ask this question are vendors … who of course have a vested interest in drumming up business for their offerings. This week we’re all treated to watch this spectacle play out in the... READ MORE

AngularJS Expression Security Internals

IDawson's picture
By Isaac Dawson June 25, 2015  | Research

Introduction: As part of my research duties I tasked myself with becoming more familiar with the newer MVC frameworks, the most interesting one was AngularJS. I wanted to share with everyone my process for analyzing the expression functionality built in to AngularJS as I feel it's a pretty interesting and unique code base. AngularJS exposes an expression language that exposes a limited set of... READ MORE

GHOST Highlights How Vulnerable Components Can Haunt an Enterprise

cwysopal's picture
By Chris Wysopal February 2, 2015  | Research

Last week, a security alert was issued disclosing a critical buffer overflow vulnerability on Linux systems. The vulnerability known as GHOST (CVE-2015-0235) impacts applications running on Linux systems using glibc version 2. This is a serious vulnerability because it has a high impact when exploited, and the vulnerability is very widespread, due to the sheer number of public-facing Linux... READ MORE

The Fog of War: How Prevalent Is SQL Injection?

TJarrett's picture
By Tim Jarrett January 23, 2015  | Research
Code security against SQL injection.

Security statistics are complicated, and there’s a lot of fog of war around some fundamental questions like: how common are SQL Injection flaws? A pair of interesting articles over the last day have illustrated some of the challenges with answering that question. A company called DB Networks announced that it had found an uptick in SQL Injection prevalence in 2014, which had appeared to be... READ MORE

Shellshock – what you need to know

cwysopal's picture
By Chris Wysopal September 25, 2014  | Research

News of the Bash Bug/Shellshock vulnerability is being widely covered since the Ars Technica article published yesterday afternoon.  There is speculation that this bug is going to be more catastrophic than Heartbleed, and like the much publicized OpenSSL vulnerability, we won’t know the full extent of its impact for some time. There are still some major questions to be answered, but... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu