The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

The Client Is Not Always Right!


I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

Continue Reading >>

Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)

NOTE: Before you begin reading, you may want to visit the first article in this series: Serialization Must Die: Act 1: Kryo. That piece frames some of the discussion for this current blog.

XStream is a popular deserialization library. It’s used..

Continue Reading >>

Serialization Must Die: Act 1: Kryo

When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass?..

Continue Reading >>

Third-Party Software Library and Airbag Grenades

Recently Contrast Security ran some analysis of our customers’ 3rd party software usage, which is a huge security blind spot for most organizations, and our data tells an interesting story. I’m going to tell you why 3rd party libraries are a serious..

Continue Reading >>

A New, Open Source Tool Proves: Even After Patching, Deserializing Will Still Kill You

With all the talk about Java serialization vulnerabilities, I thought I'd share a new, open source tool I built for you to download and use, purposely designed to consume all the memory of a target that's deserializing objects -- eventually blowing..

Continue Reading >>

The Fast, Free, Fantastic Way to Find Cross-Site Scripting (XSS)

What Is XSS?

Cross-site scripting (XSS) is really pretty simple. Any time untrusted data ends up an HTML page without proper validation and escaping, you have a problem.  So when a developer takes an HTTP request parameter and it finds its way..

Continue Reading >>

The 10 Most Important Security Controls Missing in JavaEE

JavaEE has some excellent built-in security mechanisms, but they don’t come close to covering all the threats that your applications will face.  Many common attacks like Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF),..

Continue Reading >>

Five Application Security New Year's Resolutions Every Developer Can Make

New Year's Resolutions can be tricky, and advice abounds on how you can do a better job at keeping them. For the sake of this post, I'm assuming you've already made the decision to be better at increasing the security of your applications. With..

Continue Reading >>

Automating AppSec

ByChris Schmidt October 1, 2013

As developers, we have tools that we use every day to make ourselves more efficient. We use tools like Maven for dependency management, Jenkins for continuous integration, JIRA for bug tracking, Sonar for development analytics and Fisheye for..

Continue Reading >>