Zip file overwrites are a cool but rare vulnerability that can occur on apps that work with user-supplied zip files. The folks at Snyk recently found a slew of libraries that do that, and there is a lot of history in this attack vector. In fact,..

If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body,..

It's hard to overstate what's happening here. The FBI, New York and Massachusetts Attorneys General, and Congress are now running inquiries into the Equifax breach. More will come. It's clear that the U.S. economy will change in some way as a result..

On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12..

On March 6, a new remote code execution vulnerability was disclosed¹ against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.

I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.

So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.

Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time.

It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well.

In fact, it doesn’t really verify you are who the client..

J’accuse!

I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

NOTE: Before you begin reading, you may want to visit the first article in this series: Serialization Must Die: Act 1: Kryo. That piece frames some of the discussion for this current blog.

XStream is a popular deserialization library. It’s used..