Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Unchecked open source components introducing more risk to businesses

pdaly's picture
By Pete Daly January 31, 2019  | Research

At Veracode, we’ve been the first and the loudest in proclaiming that companies need to be vigilant in how they use open source components in their software. Our research shows that open source components are used with increasing regularity in the enterprise. The State of Software Security Volume 9 report, which examined 700,000 scans over 12 months, found that 87.5 percent of Java applications... READ MORE

Exploiting JNDI Injections in Java

mstepankin's picture
By Michael Stepankin January 3, 2019
JNDI injections in Java

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS). In other words, JNDI is a... READ MORE

State of Software Security Volume 9: Top 5 Takeaways for CISOs

sciccone's picture
By Suzanne Ciccone October 30, 2018
SOSS v9 key takeaways for security pros

We’ve just released the 9th volume of our State of Software Security report and, as always, it’s a treasure trove of valuable security insights. This year’s report analyzes our scans of more than 2 trillion lines of code, all performed over a 12-month period between April 1, 2017 and April 30, 2018. The data reveals a clear picture of both the security of code organizations are producing today,... READ MORE

SOSS Volume 9 reveals how DevSecOps can overcome the volume and persistence of software flaws

jlavery's picture
By Jessica Lavery October 24, 2018  | Research

Fall is a favorite season for many – in New England, we have beautiful colors and a chill in the air.  At Veracode, fall is our favorite season because it signifies the release of our annual State of Software Security (SOSS) report. Each year, we welcome the opportunity to share with the industry our insights into common vulnerabilities found in software and how organizations are measuring... READ MORE

Can DevSecOps Boost Your Bottom Line?

eschuman's picture
By Evan Schuman June 25, 2018
How can AppSec affect your bottom line?

One of the sad truths about security is that it has typically been viewed by enterprise C-level executives as akin to an insurance policy – necessary, but would never produce profits, boost revenue, or attract new customers. But are those long-held perceptions changing? A recent CA study found that they might be. The study found that companies that prioritized security efforts in app development... READ MORE

Do you trust your builds, or build what you trust?

mang's picture
By Ming Yi Ang March 5, 2018

We gave a talk on detecting malicious builds with Build Inspector, Do you trust your builds, or build what you trust?, at Null Singapore a week ago. In this blog post, we provide a summary of the talk which involves describing the dangers of trusting Open-Source and the steps you can take to detect these threats. Pretext The rapid increase of Open-Source Library Growth is seen in the past few... READ MORE

Research Report: DevSecOps Provides a Competitive Edge

jzorabedian's picture
By John Zorabedian January 23, 2018  | Research
DevSecOps Research Report

CA Technologies has released a new report, based on research conducted by industry analyst firm Freeform Dynamics, that sheds light on some of the obstacles for organizations seeking the advantages of a development approach that prioritizes application security, without sacrificing time-to-market and innovation. The report also offers evidence that integrating security throughout the development... READ MORE

Crypto Mining Web App POC

asharma's picture
By Asankhaya Sharma December 10, 2017

A few months back in a previous post we gave a POC for malware embedded in an enterprise Spring MVC app. Then we got to thinking, what if we pwn3d a web app with malicious code and turned the result into a self-paying crypto-currency miner? You could give the owner of the site the option to either pay the ransom or just let the mining operation complete, at which point their files get decrypted,... READ MORE

How Are We Securing the Booming Digital Economy? Our Latest Survey Results

sciccone's picture
By Suzanne Ciccone December 8, 2017  | Intro to AppSec
Are business leaders concerned about securing their digital initiatives?

The holiday season is upon us; are you buying all your gifts at the mall? Probably not. Many, if not most, of you are going to research, purchase and pay for all your holiday gifts online this year. Digitization is everywhere – changing every interaction and transaction. But it seems like breaches are everywhere as well – affecting all industries in all geographies. Are business leaders simply... READ MORE

AppSec in Review Podcast: How Developers Respond to Security Findings

jzorabedian's picture
By John Zorabedian December 5, 2017  | Secure Development | Research
AppSec in Review: How Developers Respond to Security Finding

We recently published the State of Software Security Developer Guide, based on real application security testing data. Among the key takeways, the data in the report offers strong evidence that eLearning, security training, and DevSecOps practices have a positive effect on developers' effectiveness at fixing flaws in their code. In this episode of the AppSec in Review podcast, Evan Schuman and... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu