From the Roller website:
Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database.
Roller, starting with version 4, uses Struts2 as its web MVC. Struts2 itself utilizes OGNL as a templating / expression language. The Coverity SRL team previously found a remote code execution issue in how Struts2 evaluated tainted data via its configuration files. Refer to that blog entry for background on Struts2 and OGNL.
Posted in Software Architecture and Design | Comments Off on Remote code execution in Apache Roller via OGNL injection
From Oracle’s site:
Posted in Software Architecture and Design | Comments Off on 2 path traversal defects in Oracle’s JSF2 implementation
Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.
Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Touch ID: Yea or nay?
Recently, Linux kernel developers have picked up use of Coverity Scan by addressing new defects found in recently submitted patches. One developer, Dave Jones, noticed a change to remove a fall through comment on a switch case:
> case MPOL_BIND:
> – /* Fall through */
> case MPOL_INTERLEAVE:
> nodes = pol->v.nodes;
Posted in Static Analysis (SAST) | Comments Off on Gimme a break
Struts2 allows a developer to include other Struts2 applications via the Plugin architecture. From the site:
Posted in Software Architecture and Design | Comments Off on Making the Struts2 app more secure: Don’t include Config Browser
Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:
Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Mobile: Different or same sh*t different day?
Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*).
Posted in Uncategorized | Comments Off on Business logic: High frequency trading’s security lessons
By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you commonly see here.
Posted in Software Architecture and Design | Comments Off on Threats threatening with threats
The President’s Executive Order acknowledges the need to secure our critical infrastructure. But cyber security is more than “information sharing” and “frameworks.”
Posted in Maturity Model (BSIMM) | Comments Off on President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity
Adoption of the new GPL3 license was gradual, and many companies put the new license on their open source policy black lists. How scary is GPL v3?
Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Who’s afraid of GPL3?