APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Contrast Scan Adds Support for Client-Side JavaScript - The World’s Most Popular Programming Language

ByJoe Coletta January 5, 2022

If you’re looking for the TL;DR version of this announcement, here it is: Contrast Scan has expanded its language coverage to include front-end languages with support for client-side JavaScript (JS) and jQuery. Now that we’ve got that covered,..

Continue Reading >>

Log4J 2.17.1 - Lower Risk, Patch When You Can

The season of Log4J vulnerabilities continues with a new Log4J 2.17.1 released on December 28, however the risk is lower than others. Teams that have not patched previous Log4J updates must do so immediately, teams that have been diligent on..

Continue Reading >>

Expression language and deserialization attacks on the rise in lead-up to Log4j vulnerability

ByIan Breeze December 22, 2021

It’s been a couple of weeks since the first public disclosure of the Log4j vulnerability. A lot has happened - perhaps the understatement of the year. Several rounds of new patches have been issued from the Apache Software foundation and others..

Continue Reading >>

Three Reasons Why Contrast SCA Is Best Suited for Log4Shell Rapid Response

With Log4j being such a ubiquitous library embedded in tens of millions applications across the Java ecosystem, it’s fairly obvious to understand why the Log4Shell CVE is being treated as a DEFCON 1-class situation. To add salt to the wound, many..

Continue Reading >>

[Upgrade to 2.17] Updated Guidance on Addressing Log4J CVEs

This morning, the Apache Software Foundation provided another update to log4j (version 2.17.0) to address a new CVE-2021-45105. Contrast recommends using this most secure version.

Continue Reading >>

Contrast Security Protects Serverless applications from Log4j Attacks

The Log4j flaw (also now known as "Log4Shell"), is a zero-day vulnerability (CVE-2021-44228) that came to light on December 9, allowing almost anyone to remotely execute malicious code against organizations who have certain configurations..

Continue Reading >>

Log4Shell By The Numbers

We monitor many thousands of applications with Contrast Assess (IAST), Contrast SCA, and Contrast Protect (RASP) so we have a unique data set compared to others and, so far, we have some really interesting takeaways. Of course, our data, like any..

Continue Reading >>

Updated Guidance on Addressing Log4J CVEs

The information below is no longer current against the evolving security landscape. See [updated guidance] again on this issue.

The Apache Software Foundation provided updated guidance that the patch to fix Log4Shell..

Continue Reading >>

Instantly Inoculate Your Servers Against Log4J With New Open Source Tool

Contrast is releasing SafeLog4j, a free and open-source, general purpose tool that can detect/verify vulnerable log4j applications and protect them. The utility works with user-developed and third party applications, does not require source code,..

Continue Reading >>

WAF, RASP and Log4Shell

Log4Shell has done an excellent job of making the case for Runtime Application Self-Protection (RASP). Here’s the quick summary: our Contrast Protect customers have been secure against the remote code execution (RCE) in this vulnerability for..

Continue Reading >>

SUBSCRIBE TO THE BLOG