Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

After The Equifax Hack We Examined the Latest Apache Struts Code

mcurphey's picture
By Mark Curphey September 11, 2017

In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last updated on Sept 6th at 11:28 am in this commit, updating the pom.xml file to upgrade the Log4J library. We... READ MORE

SGL: Mapping the open-source genome for fun and profit

mcurphey's picture
By Mark Curphey August 30, 2017

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability database in the form of textual descriptions. If accepted (after some basic validation) the report is re... READ MORE

Open-source Packages with Malicious Intent

mcurphey's picture
By Mark Curphey August 3, 2017

Why re-invent the wheel? This famous saying is what I think of when thinking about third-party code. Package managers such as npm, RubyGems, and Maven make it so easy to share code that has been written between people that developers use it for tasks as small as checking if a number is positive. This is absolutely great but how many of us stop to think about what exactly is going on behind-the-... READ MORE

Message Digests, aka Hashing Functions

msheth's picture
By Mansi Sheth June 13, 2017  | Secure Development

This is the fourth entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. The third entry taught you how to securely configure basic encryption/decryption primitives. This... READ MORE

Anatomy of a Cross-Site Scripting Flaw in the Telerik Reporting Module

Telerik Reporting Cross-Site Scripting Vulnerability

One of the interesting aspects of working as a CA Veracode Application Security Consultant is seeing the wide range of code across many business sectors. On an average day, I could look at some COBOL code twice my age in the morning, and by lunch I’m exploring a large .NET MVC app, before transitioning to review a self-deploying microservices package comprised of Java, node.js, and a little PHP... READ MORE

Encryption and Decryption in Java Cryptography

msheth's picture
By Mansi Sheth April 18, 2017  | Secure Development
Encryption and decryption in Java Cyrptography

This is the third entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms, and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. This entry will teach you how to securely configure basic encryption/decryption primitives. This blog... READ MORE

Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

msheth's picture
By Mansi Sheth March 29, 2017  | Research
Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

Skip to the tl;dr This is the second entry in a blog series on using Java cryptography securely. The first entry provided an overview and covered some architectural details, using stronger algorithms and some debugging tips . This entry covers Cryptographically Secure Pseudo-Random Number Generators. This blog series should serve as a one-stop resource for anyone who needs to implement... READ MORE

How to Get Started Using Java Cryptography Securely

msheth's picture
By Mansi Sheth March 17, 2017  | Secure Development

Skip to the tl;dr Cryptography is the backbone of today's information systems. Its applications are all around us: secure email communications, storage of our login credentials, digital cash and mobile payments, to name just a few. Cryptography is one of the most complicated topics in information security, but the good news is we already have well-defined algorithms, implementations and protocols... READ MORE

Abusing npm libraries for data exfiltration

mcurphey's picture
By Mark Curphey November 10, 2016

Package and dependency managers like npm allow command execution as part of the build process. Command execution provides an easy and convenient mechanism for developers to script tasks during the build. For instance, npm allows developers to use pre-install and post-install hooks to execute tasks. A pre-install hook can be used to compile some dependent native library before starting the build.... READ MORE

A look at Vulnerabilities and Dependencies by Language

mcurphey's picture
By Mark Curphey October 24, 2016

As a Data Scientist at SourceClear I get to analyze lots of interesting vulnerability data as well as anonymized project data. New customers often ask us what "normal" looks like when it comes to vulnerabilities in their projects, so I thought I'd take a look and share a few insights. How many projects have vulnerabilities, and how many do they usually have? I looked at projects analyzed with... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu