Software Security

Archive for the 'Open Source Security' Category

 

ExpressJS: Preventing common vulnerabilities in the MEAN stack

Before jumping into the Express framework, get up to speed with Part 1 of this series which explores MongoDB. Stack precedence (ExpressJS) The Express framework allows developers to easily add multiple middleware plugins globally to all routes via app.use(). However, middleware order is important because it will only be applied to routes defined further down the […]

Continue Reading...

Posted in Open Source Security, Web Application Security | No Comments »

 

MongoDB: Preventing common vulnerabilities in the MEAN stack

MEAN stack applications (MongoDB, ExpressJS, AngularJS, and NodeJS) are becoming increasingly popular as lightweight, easily deployable frameworks due to a vast ecosystem of middleware plugins and dependencies. But just how secure are these technologies? Let’s examine some common vulnerabilities that are introduced either by using these components in their default configurations or due to common […]

Continue Reading...

Posted in Open Source Security, Web Application Security | No Comments »

 

New Apache Struts 2 zero-day vulnerability: What you need to know

It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]

Continue Reading...

Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know

 

If you’re only as strong as your allies, should you trust third-party code?

Originally posted on SecurityWeek Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Vendor Risk Management | Comments Off on If you’re only as strong as your allies, should you trust third-party code?

 

How to choose between closed source and open source software

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” – Abraham Maslow When it comes to commercial and open source tools (i.e., paid and free software) the debate as to which category of software is better continues, leaving egos, careers, and […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Static Analysis (SAST) | Comments Off on How to choose between closed source and open source software

 

5 questions to ask yourself when deciding on the best static code analysis tool

Buying a house is interesting because it forces you to take a look at everything that you may have taken for granted and ignored. Recently, while I was packing my tools in preparation for a move, I realized that I have eight different hammers in my toolbox. Each hammer serves a different purpose and not […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Static Analysis (SAST) | Comments Off on 5 questions to ask yourself when deciding on the best static code analysis tool

 

Webinar: Managing open source in application security and the SDLC

Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, […]

Continue Reading...

Posted in Open Source Security, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Webinar: Managing open source in application security and the SDLC

 

Heartbleed bug: How it works and how to avoid similar bugs in the future

The Heartbleed bug is a vulnerability in open source software that was first discovered in 2014. Anyone with an Internet connection can exploit this bug to read the memory of vulnerable systems, leaving no evidence of a compromised system. Heartbleed is an implementation bug (CVE-2014-0160) in the OpenSSL cryptographic library. OpenSSL is the most popular open source cryptographic […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Web Application Security | Comments Off on Heartbleed bug: How it works and how to avoid similar bugs in the future

 

What is a bill of material?

Up to 90 percent of software today consists of third-party code. This includes proprietary code as well as Free Open Source Code (FOSS). Even if the open source project is well maintained, the version of the code you adopt into your development lifecycle may not be up to date and may even contain known vulnerabilities. […]

Continue Reading...

Posted in Application Security, Open Source Security | Comments Off on What is a bill of material?

 

1.4 billion Android devices vulnerable to hijack attacks

Roughly 80 percent of all Android devices contain a Linux vulnerability that affect unencrypted communications and allow attackers to hijack data. The vulnerability is in the design and implementation of RFC 5961, a relatively new Internet standard. Ironically, it’s intended to prevent certain classes of hacking attacks. The way it is written now, an blind […]

Continue Reading...

Posted in Mobile Application Security, Open Source Security | Comments Off on 1.4 billion Android devices vulnerable to hijack attacks