Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Vegas Cons 2016 Wrap Up

tpalarz's picture
By Tom Palarz August 18, 2016  | Research
Defcon 2016 Wrap Up

In my earlier post, I gave my thoughts on what the trends were so far part way through the set of conferences last week (BSidesLV, Blackhat, and DefCon24). In this post, I wrap up my thoughts for the week’s conferences. There were several great talks I missed at BSides this year. Two in particular were ones I’m bummed I missed: one on FOIA requests [http://sched.co/7a8k] (given... READ MORE

Crypto Fun at Black Hat 2016

tpalarz's picture
By Tom Palarz August 9, 2016  | Research

This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code) GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a... READ MORE

DEF CON 24: Day One

tpalarz's picture
By Tom Palarz August 8, 2016  | Research

DEF CON is at a new venue since my last visit (two years ago), and I have to give props to the conference staff for all the hard work they’ve put in. Lines to get to talks and villages are still incredibly long as ever, and make it hard to justify the time to wait and missing out on something else. Some trends I’m noticing so far: The car hacking industry is maturing a bit with... READ MORE

TLS Verification in Ruby Client Libraries

mcurphey's picture
By Mark Curphey April 10, 2016

A week ago, a couple of security researchers warned about unverified TLS certificates in SSL libraries of some programming languages. You may read more at their blog. In summary, they found that all programming languages do not verify revoked certificates and languages like Python and PHP do not verify certificates in some cases. That is, if you are using Python or PHP to make HTTPS requests, you... READ MORE

Handlebars.js Vulnerability Impact Study

mcurphey's picture
By Mark Curphey January 31, 2016

A few weeks ago, I described a cross-site scripting vulnerability in the popular handlebars.js library in my blog post here. A number of other JavaScript libraries and applications were also affected because of copy-and-pasted code and a tendency for developers to include and distribute the JavaScript source files directly in their projects. After following our responsbile disclosure policy and... READ MORE

Answering your questions about the new State of Software Security report

TJarrett's picture
By Tim Jarrett December 7, 2015  | Research

state-of-software-security-focus-on-application-development-1.jpg On December 3, CA Veracode published a new supplemental State of Software Security Report, Focus on Application Development. As you might have guessed, the report has raised comments and questions – particularly about the security of applications written in different programming languages. There have been some... READ MORE

Cut-and-paste component vulnerabilities - A short study of how a handlebars.js vulnerability has spread

mcurphey's picture
By Mark Curphey December 6, 2015

Today, we are going to explore a cross-site scripting vulnerability in the popular handlebars library. The handlebars library provides a logicless templating language that enables you to separate the view and the rest of your code. This library is based off of the popular mustache templating language modified by Yehuda Katz, also known as wycats on GitHub. Over 9,000 people have starred... READ MORE

Commons Collections Deserialization Vulnerability Research Findings

mcurphey's picture
By Mark Curphey December 1, 2015

A few weeks ago, I wrote about the recent Apache Commons Collections deserialization vulnerability in Let’s Calm Down About Apache Commons Collections. I said we were going to look into finding other libraries that were also vulnerable. In this post, I publish the findings and conclusions. Then I geek-out by excitedly describing plans and ideas for future research. Research Method The original... READ MORE

Amazon AWS Java SDK Vulnerability Disclosure

mcurphey's picture
By Mark Curphey November 23, 2015

Last week, we disclosed a CSRF-style vulnerability in Spring Social Core to Pivotal. Today, we will talk about a denial of service vulnerability in the Amazon AWS SDK for Java. This official AWS SDK is used by Java developers to integrate with various AWS services including interaction with the Amazon APIs for storing and retrieving files from S3 buckets. The releases 1.8.0 to 1.10.34 of the AWS... READ MORE

Spring Social Core Vulnerability Disclosure

mcurphey's picture
By Mark Curphey November 11, 2015

Today we would like to announce the discovery of a vulnerability in the Spring Social Core library. Spring Social provides Java bindings to popular service provider APIs like GitHub, Facebook, Twitter, etc., and is widely used by developers. All current versions (1.0.0.RELEASE to 1.1.2.RELEASE) of the library are affected by this vulnerability. To exploit this vulnerability, an attacker can... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu