Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Answering your questions about the new State of Software Security report

TJarrett's picture
By Tim Jarrett December 7, 2015  | Research

state-of-software-security-focus-on-application-development-1.jpg On December 3, CA Veracode published a new supplemental State of Software Security Report, Focus on Application Development. As you might have guessed, the report has raised comments and questions – particularly about the security of applications written in different programming languages. There have been some... READ MORE

Cut-and-paste component vulnerabilities - A short study of how a handlebars.js vulnerability has spread

vhenderson's picture
By Vanessa Henderson December 6, 2015

Today, we are going to explore a cross-site scripting vulnerability in the popular handlebars library. The handlebars library provides a logicless templating language that enables you to separate the view and the rest of your code. This library is based off of the popular mustache templating language modified by Yehuda Katz, also known as wycats on GitHub. Over 9,000 people have starred... READ MORE

Commons Collections Deserialization Vulnerability Research Findings

cfenton's picture
By Caleb Fenton December 1, 2015

A few weeks ago, I wrote about the recent Apache Commons Collections deserialization vulnerability in Let’s Calm Down About Apache Commons Collections. I said we were going to look into finding other libraries that were also vulnerable. In this post, I publish the findings and conclusions. Then I geek-out by excitedly describing plans and ideas for future research. Research Method The original... READ MORE

Amazon AWS Java SDK Vulnerability Disclosure

asharma's picture
By Asankhaya Sharma November 23, 2015

Last week, we disclosed a CSRF-style vulnerability in Spring Social Core to Pivotal. Today, we will talk about a denial of service vulnerability in the Amazon AWS SDK for Java. This official AWS SDK is used by Java developers to integrate with various AWS services including interaction with the Amazon APIs for storing and retrieving files from S3 buckets. The releases 1.8.0 to 1.10.34 of the AWS... READ MORE

Spring Social Core Vulnerability Disclosure

pambrosini's picture
By Paul Ambrosini November 11, 2015

Today we would like to announce the discovery of a vulnerability in the Spring Social Core library. Spring Social provides Java bindings to popular service provider APIs like GitHub, Facebook, Twitter, etc., and is widely used by developers. All current versions (1.0.0.RELEASE to 1.1.2.RELEASE) of the library are affected by this vulnerability. To exploit this vulnerability, an attacker can... READ MORE

Security Headers on the Top 1,000,000 Websites: November 2015 Report

IDawson's picture
By Isaac Dawson November 3, 2015  | Research

It has been over a year since the last analysis on security headers was run. The current state of security header usage will be presented along with a differential analysis of the previous run from October 2014. While no architectural changes to the scanner were made this time, this will be the last run done with this code base.  A new scanner is currently under development to gain more... READ MORE

No One Technology is a Silver Bullet

cwysopal's picture
By Chris Wysopal September 23, 2015  | Research

Can one approach to application security solve all your problems? Of course this is a silly question as anyone who is tasked with reducing the risk of their application layer knows. The only people who ask this question are vendors … who of course have a vested interest in drumming up business for their offerings. This week we’re all treated to watch this spectacle play out in the... READ MORE

AngularJS Expression Security Internals

IDawson's picture
By Isaac Dawson June 25, 2015  | Research

Introduction: As part of my research duties I tasked myself with becoming more familiar with the newer MVC frameworks, the most interesting one was AngularJS. I wanted to share with everyone my process for analyzing the expression functionality built in to AngularJS as I feel it's a pretty interesting and unique code base. AngularJS exposes an expression language that exposes a limited set of... READ MORE

Spring, RabbitMQ & Dead Letter Exchanges

pambrosini's picture
By Paul Ambrosini April 26, 2015

RabbitMQ has become a staple for building job queues between the myriad of spring boot micro-serivces I've built at SRC:CLR. The Spring abstraction has allowed for quick and mostly painless development. What I hadn't found a need for was RabbitMQ's "Dead Letter Exchange" setup. Multiple times there had been discussions about using the dead letter pattern but I'd never gone that route. During one... READ MORE

Nuances of two-way Data Binding in AngularJS

twaneka's picture
By Tyler Waneka March 12, 2015

When I first started looking at front end frameworks, all anyone wanted to talk about when it came to AngularJS was two-way data binding. You just connect the Model and the View and when one changes, so does the other. It's magic! It's one of the more glittery feature of AngularJS, and at times it can be extremely useful. But, what's the cost? There's always a cost. With data-binding, the (... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu