SECURITY INFLUENCERS BLOG

Security Influencers provides real-world insight and “in-the-trenches” experiences on topics ranging from software application security to DevOps and cloud security.

START FREE TRIAL

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

Connect With Us :  

Serialization Must Die: Act 1: Kryo

When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass?..

Continue Reading >>

Third-Party Software Library and Airbag Grenades

Recently Contrast Security ran some analysis of our customers’ 3rd party software usage, which is a huge security blind spot for most organizations, and our data tells an interesting story. I’m going to tell you why 3rd party libraries are a serious..

Continue Reading >>

A New, Open Source Tool Proves: Even After Patching, Deserializing Will Still Kill You

With all the talk about Java serialization vulnerabilities, I thought I'd share a new, open source tool I built for you to download and use, purposely designed to consume all the memory of a target that's deserializing objects -- eventually blowing..

Continue Reading >>

Java Agents, Memory, and the Importance of Measuring

"How much memory do I need to add to my JVM to account for Contrast?"Man, these questions sound really simple, don't they? I could probably just say "Add 128MB!" and everyone would probably be happy.

But that's not me. We need to science this..

Continue Reading >>

ColdFusion Vulnerabilities and High-Profile Hacks

ColdFusion was hugely popular when it arrived: it had commercial support, an easy syntax for web developers, and remarkably good tooling. But existing security tooling has left those developers in a quagmire of decreasing support in a time of..

Continue Reading >>

ColdFusion and Application Security

Contrast Now Supports Securing ColdFusion!Even before adding support for .NET, the Contrast team had planned to support ColdFusion. Let's go through our preferred customer checklist:

Continue Reading >>

Application Security: Faster, Cleaner, Smarter.

Our release notes are all always available, but I wanted to highlight the progress we've made since the end of last year on making a faster, cleaner, smarter vulnerability detection agent. Our goal is to be entirely invisible, continuously on,..

Continue Reading >>

Using Instrumentation to Find Web Application Vulnerabilities

Since the advent of static analysis tools around the year 2002, there hasn't been much innovation in the automation space in application security.  Contrast represents a completely new approach to finding vulnerabilities and much more. Gartner..

Continue Reading >>

Five Application Security New Year's Resolutions Every Developer Can Make

New Year's Resolutions can be tricky, and advice abounds on how you can do a better job at keeping them. For the sake of this post, I'm assuming you've already made the decision to be better at increasing the security of your applications. With..

Continue Reading >>

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook