SECURITY INFLUENCERS BLOG

Security Influencers provides real-world insight and “in-the-trenches” experiences on topics ranging from software application security to DevOps and cloud security.

START FREE TRIAL

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

Connect With Us :  

Pulling Back the Curtain On: Zip File Overwrites

Zip file overwrites are a cool but rare vulnerability that can occur on apps that work with user-supplied zip files. The folks at Snyk recently found a slew of libraries that do that, and there is a lot of history in this attack vector. In fact,..

Continue Reading >>

Pulling Back the Curtain on RASP

If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body,..

Continue Reading >>

Struts 2, Equifax and You

It's hard to overstate what's happening here. The FBI, New York and Massachusetts Attorneys General, and Congress are now running inquiries into the Equifax breach. More will come. It's clear that the U.S. economy will change in some way as a result..

Continue Reading >>

VULNERABILITY ALERT: CVE-2017-9805 – Struts S2-052 Exploit Released, Protection Offered

On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12..

Continue Reading >>

CVE-2017-5638 – Struts 2 S2-045 Exploit Released – Protection Offered

On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.

Continue Reading >>

Failure to Lognch

I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.

Continue Reading >>

How Can Devs Keep Up with the Library Security Devil?

So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.

Continue Reading >>

IAST & the Villainous Library Named "commons-httpclient-3.1.jar"

Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time.

It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well.

In fact, it doesn’t really verify you are who the client..

Continue Reading >>

The Client Is Not Always Right!

J’accuse!

I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

Continue Reading >>

Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)

NOTE: Before you begin reading, you may want to visit the first article in this series: Serialization Must Die: Act 1: Kryo. That piece frames some of the discussion for this current blog.

XStream is a popular deserialization library. It’s used..

Continue Reading >>

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook