Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...
Apache Struts is a free, open-source framework for creating elegant, enterprise-ready Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and...
An API is a set of definitions, routines, protocols, and tools for building and integrating software applications. APIs are software intermediaries that let applications communicate...
Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. As applications are increasingly accessible via networks, they become...
Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...
Application vulnerabilities are flaws or weaknesses in an application that can lead to exploitation or a security breach. With the enormous global reach of the Internet, web applications are...
Agile is a frequently used methodology applied to the management of software development projects. It is an iterative rather than linear approach which focuses on continuous improvement via...
Binary code analysis, also referred to as binary analysis or code review, is a form of static analysis the does threat assessment and vulnerability testing at the binary code level. This analysis...
Broken access control is #5 on the latest (2017) OWASP Top 10 list. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function...
Broken authentication is #2 on the latest (2017) OWASP Top 10 list. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken...
With a brute force attack, the attacker attempts to crack a password or username using an “exhaustive search” or trial and error approach. In cryptography, a brute force attack consists of the...
Buffers provide a temporary area for programs to store data. A buffer overflow, also known as a buffer overrun, is when a program overruns a buffer's boundary and overwrites adjacent memory locations...
Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. Code...
With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. Command injection is made possible when an...
Computer worms have been around for more than three decades and show no sign of extinction. Throughout their existence, they have been responsible for billions of dollars in damage...
Cross-site scripting (XSS) describes a web security vulnerability that allows attackers to compromise user interactions by inserting malicious scripts designed to hijack vulnerable applications. An...
DevOps security refers to the practice of safeguarding an organization’s entire development/operations environment through the use of coordinated policies, processes, and technology. DevOps gives...
DevSecOps is the practice of integrating security with development and operations (DevOps), in order to combine security with agility throughout all stages of the application development lifecycle....
Dynamic application security testing (DAST) is a black-box test, working from the outside in, designed to detect security vulnerabilities in an application’s running state. DAST is good at finding...
Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database...
Designing test cases that accurately identify defects in software can be challenging. As scanners run and tests are conducted, false negatives happen when problems aren’t picked up even though there...
False positives occur when a scanning tool, web application firewall (WAF), or intrusion prevention system (IPS) incorrectly flag a security vulnerability during software testing. False positives...
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Either hardware, software, or a combination of both,...
In the world of cybersecurity, fuzz testing (or fuzzing) is an automated software testing technique that attempts to find hackable software bugs by randomly feeding invalid and unexpected inputs and...
Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to...
Serialization is the process of converting an object into a format or sequence of bytes that can be persisted on disk or transmitted through streams. The reverse process is called deserialization –...
Security instrumentation (aka deep security instrumentation) embeds sensors within applications so they can protect themselves from the most sophisticated attacks in real time. Security...
Insufficient logging and monitoring is #10 on 2017 OWASP Top Ten list of most critical web application security risks, which states that “exploitation of insufficient logging and monitoring is the...
Application security testing describes the various approaches used by organizations as they attempt to find and eliminate vulnerabilities in their software. Also referred to as AppSec testing and...
Malicious code is code inserted in a software system or web script intended to cause undesired effects, security breaches, or damage to a system. Taking advantage of common system vulnerabilities,...
As developers strive to meet the demands of the modern software development life cycle (SDLC), they are often confronted with the need to compromise security for faster release...
In a man-in-the-middle attack, the attacker eavesdrops on the communications between two targets, then secretly relays and possibly alters the messages between parties who believe they are directly...
Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit "allow all" settings in their security configuration....
Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects. Specifically, OGNL enables the evaluation of EL expressions in Apache Struts, which is the commonly used...
The term "open source" refers to software in the public domain that people can freely use, modify, and share. The adoption of third-party open source software (OSS) has increased significantly over...
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. The OWASP Top 10 is a listing of the ten most common...
Path traversal (also known as directory traversal) is an attack that uses an affected application to gain unauthorized access to server file system folders that are higher in the hierarchy than the...
The Payment Card Industry Data Security Standard (PCI DSS) is a set of widely followed security requirements agreed upon by members of the PCI Security Standards Council. PCI compliance includes...
Payment card industry (PCI) compliance, also referred to as Payment Card Industry Data Security Standard (PCI DSS) compliance, refers to the technical and operational standards businesses must follow...
Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white...
Coined by Gartner in 2012, Runtime Application Self-Protection RASP is an emerging security technology that lets organizations stop hackers’ attempts to compromise enterprise applications and data....
What Is a ReDoS Attack? A ReDoS attack is a denial-of-service (DoS) attack that exploits an application’s exponential evaluation of regular expressions.
Regular expressions can reside in every layer of the web. The Regular expression Denial of Service (ReDoS) produces one or more regular expressions or regex(s) that “run on and on” by design. Using...
As a set of values and principles that describes a group's day-to-day interactions and activities, Agile provides the framework for an iterative and incremental software development approach. Scrum...
The Software Development Life Cycle (SDLC) is a framework that defines tasks performed at each step in the software development process. SDLC standards provide a structure that can be followed by...
Security misconfigurations is #6 on the latest (2017) OWASP Top 10 list. This vulnerability can occur at any level of an application stack, including network services, platform, web server,...
Sensitive data exposure is #3 on the latest (2017) OWASP Top 10 list. This vulnerability occurs when an application fails to adequately protect sensitive information, leaving it open to accidental...
Session fixation and session hijacking are both attacks that attempt to gain access to a user’s client and web server session. In the session hijacking attack, the attacker attempts to steal the ID...
The importance of security is on the rise as digital innovation explodes. And as organizations launch more applications and evolve existing ones, the application attack surface grows. This...
Today’s software applications rely heavily on open-source components. Software Composition Analysis (SCA) is the process of automating visibility into the use of open source software (OSS) for the...
Anytime an individual or device disguises itself as a trusted source, it is known as spoofing. A spoofing attack can take on many forms.
In a spoofing attack, a malicious party or program impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access...
One of the most serious application security problems, SQL injection is a commonly employed attacker technique designed to exploit databases through a SQL query security flaw. It is a form of web...
Static application security testing (SAST) involves analyzing an application’s source code very early in the software development life cycle (SDLC). The SAST analysis specifically looks for coding...
Serialization refers to the process of converting an object into a format which can be saved to a file or a datastore, sent through streams, or sent over a network. The format in which an object is...
Vulnerabilities continue to grow as organizations turn to digital transformation and roll out new applications and enhance existing ones. Identifying and then triaging, diagnosing, and...
Vulnerability testing is a crucial part of application development and is used to help identify vulnerabilities that could lead to an application attack.
A web application firewall (WAF) is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between...
Zip file overwrite (also known as Zip Slip) exploits a vulnerability that is found in several widely used programming languages. It is especially prevalent in Java where there is no central library...
Crawl to the deepest, darkest corners of even your most complex apps to test for risk and get the insight you need to remediate faster with a free 30-day trial of InsightAppSec.
Read the latest Contrast Security research report 2020 Application Security Observability Report to uncover the latest web application vulnerabilities and risks.
Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast’s patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.