Recently, a large data breach was disclosed by Equifax that allowed hackers to steal personal information of over 143 million Americans. The underlying issue that was responsible for the breach turned out to be an un-patched open-source Apache Struts component. In this blog post we will discuss about the security issues that have affected Apache Struts recently and the impact they have had. We... READ MORE›

In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last updated on Sept 6th at 11:28 am in this commit, updating the pom.xml file to upgrade the Log4J library. We... READ MORE›

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability database in the form of textual descriptions. If accepted (after some basic validation) the report is re... READ MORE›

Why re-invent the wheel? This famous saying is what I think of when thinking about third-party code. Package managers such as npm, RubyGems, and Maven make it so easy to share code that has been written between people that developers use it for tasks as small as checking if a number is positive. This is absolutely great but how many of us stop to think about what exactly is going on behind-the-... READ MORE›

This is the fourth entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. The third entry taught you how to securely configure basic encryption/decryption primitives. This... READ MORE›

One of the interesting aspects of working as a CA Veracode Application Security Consultant is seeing the wide range of code across many business sectors. On an average day, I could look at some COBOL code twice my age in the morning, and by lunch I’m exploring a large .NET MVC app, before transitioning to review a self-deploying microservices package comprised of Java, node.js, and a little PHP... READ MORE›

This is the third entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms, and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. This entry will teach you how to securely configure basic encryption/decryption primitives. This blog... READ MORE›

Skip to the tl;dr This is the second entry in a blog series on using Java cryptography securely. The first entry provided an overview and covered some architectural details, using stronger algorithms and some debugging tips . This entry covers Cryptographically Secure Pseudo-Random Number Generators. This blog series should serve as a one-stop resource for anyone who needs to implement... READ MORE›

Skip to the tl;dr Cryptography is the backbone of today's information systems. Its applications are all around us: secure email communications, storage of our login credentials, digital cash and mobile payments, to name just a few. Cryptography is one of the most complicated topics in information security, but the good news is we already have well-defined algorithms, implementations and protocols... READ MORE›