If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body,..
If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body,..
It's hard to overstate what's happening here. The FBI, New York and Massachusetts Attorneys General, and Congress are now running inquiries into the Equifax breach. More will come. It's clear that the U.S. economy will change in some way as a result..
On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12..
On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.
I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.
So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.
Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time.
It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well.
In fact, it doesn’t really verify you are who the client..
I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.
NOTE: Before you begin reading, you may want to visit this article for Act 1 of our series – Kryo serialization library and its weaknesses. This piece frames some of the discussion in this blog, but definitely isn’t required reading.
XStream is a..
When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass?..
"When we instrumented applications at the UK's largest Government Department with Contrast Assess, it was like handing our project teams an incredibly powerful debugging agent containing the sum total of application security knowledge.”
Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
