Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

State of Software Security v10: 5 Key Takeaways for Developers

mmcbee's picture
By Meaghan McBee January 13, 2020  | Research
SOSS X Developer Takeaways

In case you missed it, this year we launched our 10th annual State of Software Security (SOSS X) report! Armed with a decade of data, the Veracode team analyzed 85,000 applications to study trends in fix rates, mounting security debt, shifts in vulnerability by language, and more. What did we uncover? At the core of our research, we found there’s still a need for better remediation processes and... READ MORE

Announcing the 10th Volume of our State of Software Security Report

sciccone's picture
By Suzanne Ciccone October 22, 2019  | Managing AppSec

Today marks a big milestone for Veracode, and for the application security industry – we’re releasing the 10th volume of our State of Software Security (SOSS) report. 10 SOSS reports and 80,000+ apps later, we’ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and... READ MORE

Security and Development Agree, Coordinated Disclosures Are a Public Service

lpaine's picture
By Laura Paine September 18, 2019
Coordinating vulnerability disclosure

Shifting security left so that security testing becomes an integrated part of the development process helps companies improve software security. With software running our world, it is important to empower developers with the tools and processes they need to make security a part of their overall development process. Yet, even with a robust AppSec program that makes security a part of the... READ MORE

Discovering Malicious Packages Published on npm

mang's picture
By Ming Yi Ang September 4, 2019
Veracode discovers 17 malicious packages on npm

Sightings of malicious packages on popular open source repositories (such as npm and RubyGems) have become increasingly common: just this year, there have been several reported incidents. This method of attack is frighteningly effective given the widespread reach of popular packages, so we've started looking into ways to discover malicious packages to hopefully preempt such threats. The problem... READ MORE

Veracode Is Named a Leader for Sixth Time in Gartner Magic Quadrant for Application Security Testing

pdaly's picture
By Pete Daly April 23, 2019  | Managing AppSec

Veracode has been named a Leader in the Gartner Inc. 2019 Magic Quadrant for Application Security Testing, marking our sixth year as a Leader. We’re excited to again be recognized as a Leader in the industry. We believe Gartner continues to place Veracode in this position because of our vision in application security testing and our ability to cover the entire software development lifecycle (SDLC... READ MORE

Exploiting Spring Boot Actuators

mstepankin's picture
By Michael Stepankin February 25, 2019
exploiting spring boot actuators

This post was updated May 1, 2019 The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured. When a Spring Boot application is running, it automatically registers... READ MORE

Veracode included in new Forrester Now Tech: Software Composition Analysis, Q1 2019

pdaly's picture
By Pete Daly February 19, 2019  | Research

Vulnerable components in software lurk everywhere. At the same time, business competitiveness hinges on the speed and quality of software delivery. So, how does an enterprise not only keep up with application security, but also thrive despite the threats posed by risks in their software? A software composition analysis (SCA) solution can help organizations identify known vulnerabilities from open... READ MORE

Unchecked open source components introducing more risk to businesses

pdaly's picture
By Pete Daly January 31, 2019  | Research

At Veracode, we’ve been the first and the loudest in proclaiming that companies need to be vigilant in how they use open source components in their software. Our research shows that open source components are used with increasing regularity in the enterprise. The State of Software Security Volume 9 report, which examined 700,000 scans over 12 months, found that 87.5 percent of Java applications... READ MORE

Exploiting JNDI Injections in Java

mstepankin's picture
By Michael Stepankin January 3, 2019
JNDI injections in Java

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS). In other words, JNDI is a... READ MORE

State of Software Security Volume 9: Top 5 Takeaways for CISOs

sciccone's picture
By Suzanne Ciccone October 30, 2018
SOSS v9 key takeaways for security pros

We’ve just released the 9th volume of our State of Software Security report and, as always, it’s a treasure trove of valuable security insights. This year’s report analyzes our scans of more than 2 trillion lines of code, all performed over a 12-month period between April 1, 2017 and April 30, 2018. The data reveals a clear picture of both the security of code organizations are producing today,... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.