For years, free and open source software (FOSS) has a had a negative connotation, with some developers forbidden to use it in final software product releases. The obvious downside in avoiding open source is that organizations run the additional risk of introducing avoidable vulnerabilities. For example, an organization with no cryptographic experience should not be […]
Continue Reading...
Posted in Open Source Security, Software Composition Analysis | No Comments »
In a new report, Synopsys identifies that 50% of the vulnerabilities found in software today are more than four years old. In almost every case, a newer, more secure version of the vulnerable software component is available. The Synopsys report, The State of Software Composition 2017 uses the Synopsys Software Composition Analysis tool, Protecode SC, […]
Continue Reading...
Posted in Application Security, Open Source Security | Comments Off on Synopsys report finds old, vulnerable software components still in use
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report: The State of Software Composition 2017. You can always join the discussion by sending us […]
Continue Reading...
Posted in Application Security, Open Source Security, Software Composition Analysis, Vulnerability Assessment | Comments Off on Fault Injection Podcast .002: What’s in your software?
Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, ExpressJS (Core), ExpressJS (Sessions and CSRF), and AngularJS. Development mode (NodeJS/ExpressJS) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express […]
Continue Reading...
Posted in Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on NodeJS: Preventing common vulnerabilities in the MEAN stack
Before diving into the latest post within our discussion on vulnerabilities in the MEAN stack, look back at the first two posts discussing MongoDB and ExpressJS (Part 1). Client-side session storage (ExpressJS) With MEAN stack applications, it is fairly common to store the session state client-side in either a JSON Web Token (JWT) or custom cookie object […]
Continue Reading...
Posted in Open Source Security, Web Application Security | Comments Off on ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 2)
Before jumping into the Express framework, get up to speed with Part 1 of this series which explores MongoDB. Stack precedence (ExpressJS) The Express framework allows developers to easily add multiple middleware plugins globally to all routes via app.use(). However, middleware order is important because it will only be applied to routes defined further down the […]
Continue Reading...
Posted in Open Source Security, Web Application Security | Comments Off on ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 1)
MEAN stack applications (MongoDB, ExpressJS, AngularJS, and NodeJS) are becoming increasingly popular as lightweight, easily deployable frameworks due to a vast ecosystem of middleware plugins and dependencies. But just how secure are these technologies? Let’s examine some common vulnerabilities that are introduced either by using these components in their default configurations or due to common […]
Continue Reading...
Posted in Open Source Security, Web Application Security | Comments Off on MongoDB: Preventing common vulnerabilities in the MEAN stack
It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]
Continue Reading...
Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know
Originally posted on SecurityWeek Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or […]
Continue Reading...
Posted in Open Source Security, Software Security Testing, Vendor Risk Management | Comments Off on If you’re only as strong as your allies, should you trust third-party code?
“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” – Abraham Maslow When it comes to commercial and open source tools (i.e., paid and free software) the debate as to which category of software is better continues, leaving egos, careers, and […]
Continue Reading...
Posted in Open Source Security, Software Security Testing, Static Analysis (SAST) | Comments Off on How to choose between closed source and open source software