Developer-First Security, Shifting Security Left With A Plan

The best way to solve the software security problem is by shifting security left, right at the software creation phase. Solving the problem after the software is written and deployed is like testing and fixing cars after they left the car manufacturing facility. Fortunately, the industry has already realized this and started integrating security controls […]

Why Classic (Gen 1) Static Analysis Security Tools Do not Work Today

vulnerability scanner

Why Generation 1 Security Tools do not Work Today The truth is that there is no lack of security tools in the market, the list of the static code analysis tools on Wikipedia contains several dozens of tools. However, according to a survey done by GitLab in 2019, 70% of developers don’t believe that they […]

Insecure Deserialization Primer for Java Developers

jsp-include

Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from a […]

Reducing The Risk: A software Engineering Problem

security risk

The best way to solve the software security problem is when and where it starts, right at the software creation or as close to the beginning as possible. Solving the problem after the software is written, tested and deployed is like testing and fixing cars after they left the car manufacturing facility. Fortunately, the industry […]

Padding Oracle Primer for Java Developers

padding oracle

The Padding Oracle attack is associated with Modern Symmetric(single key to encrypt/decrypt) Cryptographic systems that use a block cipher. Block ciphers work on encrypting fixed length group of bits called blocks. To enhance security, block ciphers have added modes of operation which support the repeated operation of the cipher across several blocks. Since the original plaintext is never […]

JSP XSLT Primer for Java Developers

jsp xslt

Extensible Stylesheet Language Transformations (XSLT) is a transformation language that ingests an XML document and transforms that document into another XML document. If an attacker can control the content of the style sheet, he/she would potentially be able to trigger remote code execution (RCE) or server-side path traversal. Fixes for JSP XSLT Take for example […]

JSP JSTL Out Primer for Java Developers

Java Server Pages(JSP) currently can define tag definitions through the Standard Tag Library (JSTL). One of the tag functions is the ability to disable escapeXml which could potentially be dangerous in Cross-Site Scripting attacks. By disabling escapeXml an attacker can manipulate an XML document which is reflected within a client browser and inject HTML and/or […]

JSP Spring Eval Primer for Java Developers

JSP Spring Eval

Spring can specify functionality within a Java Server Page(JSP) to inject into the eval tag an expression to be executed at render time. If the expression can be wholly or partially control by user input, an attacker could inject dynamic values to inject code to be executed when the page is rendered on the server. […]

Insecure Data Storage Primer for Java Developers

insecure data storage

Insecure data storage is when files can be identified and contain plain text or encoded credentials. These credentials include usernames, passwords, private encryption keys, and other potentially sensitive data that can be leveraged to obtain unauthorized application access. Depending on the nature of the embedded data, these secrets can be used to obtain access to […]

Insecure Crypto Primer for Java Developers

insecure cryptography

Insecure Cryptography is a general vulnerability in which the encryption algorithm chosen for use cases such as authentication, integrity checks, signature verification is weak and susceptible to attacks. Typical attacks exploit the algorithms collision characteristics, i.e. the ability of the attacker to control/predict what the algorithm produces for two different data inputs. If an attacker […]