As you may know, SourceClear has the world’s most complete, accurate, and up-to-date database of verified vulnerabilities in open-source code. But what’s more important is that more than half of the vulnerabilities in our database are not available anywhere else and have no public disclosures. How do we manage to hunt these vulnerabilities from thousands of open-source libraries? Certainly, it... READ MORE›

Veracode just published its latest “State of Software Security” report, get it here. Based on Veracode Platform data, these “SoSS” reports have been offering a goldmine of intelligence about how organizations are approaching AppSec since 2011. This year’s report is no different. Evan Schuman recently sat down with Veracode’s Director of Product Management Tim Jarrett to discuss the findings... READ MORE›

In the past year, we’ve seen an unprecedented series of cyber assaults on democratic elections, ransomware attacks that spread around the world affecting hundreds of thousands of systems in more than 150 countries, and record-breaking data breaches. If we’re going to address this growing crisis effectively, we need a probing inspection of root causes, and fearless prescriptions for new ways... READ MORE›

We have long had a thesis that when free open-source software projects are forked into commercial versions, then the free open-source version no longer gets the same subsequent level of security updates as the commercial version. Phrased into a question, are the free versions of open-source core products left out in the cold? Earlier this year we were asked by a customer if we could apply our... READ MORE›

Recently, a large data breach was disclosed by Equifax that allowed hackers to steal personal information of over 143 million Americans. The underlying issue that was responsible for the breach turned out to be an un-patched open-source Apache Struts component. In this blog post we will discuss about the security issues that have affected Apache Struts recently and the impact they have had. We... READ MORE›

In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last updated on Sept 6th at 11:28 am in this commit, updating the pom.xml file to upgrade the Log4J library. We... READ MORE›

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability database in the form of textual descriptions. If accepted (after some basic validation) the report is re... READ MORE›

Why re-invent the wheel? This famous saying is what I think of when thinking about third-party code. Package managers such as npm, RubyGems, and Maven make it so easy to share code that has been written between people that developers use it for tasks as small as checking if a number is positive. This is absolutely great but how many of us stop to think about what exactly is going on behind-the-... READ MORE›

This is the fourth entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. The third entry taught you how to securely configure basic encryption/decryption primitives. This... READ MORE›