vulnerabilites | The Blog Pros

April 29, 2022

SAST in Secure SDLC: 3 Reasons to Integrate It in a DevSecOps Pipeline

Vulnerabilities produce enormous reputational and financial risks. As a result, many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we're going to discuss SAST — one of the SSDLC components.

SAST (static application security testing) searches for security defects in application source code. SAST examines the code for potential vulnerabilities — possible SQL injections, XSS, SSRF, data encryption issues, etc. These vulnerabilities are included in OWASP Top 10, CWE Top 25, and other lists.

April 28, 2022

C# Applications Vulnerability Cheatsheet

Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting.

Thankfully, most real-life vulnerabilities share the same root causes. And by studying these common vulnerability types, why they happen, and how to spot them, you can learn to prevent them and secure your application.

April 27, 2022

Angular + React: Vulnerability Cheatsheet

Thankfully, most real-life vulnerabilities share the same root causes. By studying these common vulnerability types, why they happen, and how to spot them, you can learn to prevent them and secure your application.

April 13, 2022

Go Application Vulnerability Cheatsheet

February 19, 2022

Why Do We Encourage Poor Coding Patterns?

For what feels like an eternity at this point, we’ve discussed “shifting left” in the SDLC, taking into account security best practices from the start of software development. DevSecOps was a great leap forward, in no small part because of the emphasis on shared responsibility for security, and the power of a security-aware developer to thwart common vulnerabilities as they write code.

We have also known — again, for eons — that the type of secure code training chosen to engage and upskill developers makes all the difference. Low-effort solutions motivated solely by regulatory compliance do not build up the bright security minds of the future, and most security awareness professionals have worked that out. Dynamic, contextually relevant learning is best, but it’s critical that the nuances within are understood.

February 16, 2022

Win Your War Against Hackers and Secure Your Network

"Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management." - Kevin Mitnick (American Businessman)

Work culture has changed a lot recently. The ability to work from anywhere and at any time has become comfortable for employees, which in turn has brightened up things for hackers too. These days, sites are being bombarded by hack attacks from groups of hackers who later claim responsibility for the incident and make demands. There are a few pain points where hackers start their games.

Let's look into those vulnerable spots one by one.

December 15, 2021

Checklist for Thinking About Cybersecurity in Connected Vehicles

A comprehensive approach to security is essential for the protection of connected vehicle systems. This article presents a set of security recommendations based on analyzing security risks for each step in developing and deploying AI and other connectivity systems in autonomous vehicles.

The recommendations are intended to be used as a roadmap by vehicle manufacturers, system integrators, suppliers, and other stakeholders to ensure that an end-to-end approach to security is applied throughout the lifecycle of AI components.

November 11, 2021

How to Manage Vulnerabilities on Your Home Network

Image Credit

Many people erroneously assume that their home networks are too small to be targeted by cyberattackers and that cybersecurity is only meant for enterprises. Nothing could be more wrong. If the past few years have taught us anything about cybersecurity, it is that nothing is too small to be exploited, not even the smallest IoT device. Therefore, people need to be more serious about managing vulnerabilities on their home networks beyond the basic passwords. Now that many people are working from home, home security is more important than ever.

August 14, 2021

New Analysis Reveals Etherpad 1.8.13 Code Execution Vulnerabilities

Etherpad is one of the most popular online text editors that allows collaborating on documents in real-time. It is customizable with more than 250 plugins available and features a version history as well as chat functionality. There are thousands of instances deployed worldwide with millions of users. The project is very popular within the open-source community as shown by the over 10,000 stars on GitHub. Etherpad instances are often publicly usable and can contain sensitive information.

As part of SonarSource's security research on open source projects we analyzed Etherpad's code and found 2 critical vulnerabilities. Both can be combined by an attacker to completely take over an Etherpad instance and its data. In this blog post, we cover the technical details of these code vulnerabilities, show how they were patched, and give advice on how to avoid these types of bugs during development.

July 12, 2021

The Lifeline of a Vulnerability

The Vulnerability Was Generated Until It Was Found

Again and again, we read something in the IT news about security gaps that have been found. The more severe the classification of this loophole, the more attention this information will get in the general press. Most of the time, you don't even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example. But what is the typical lifeline of such a security gap?

Let's start with the birth of a vulnerability. This birth can be done in two differently motivated ways. On the one hand, it can happen to any developer that he creates a security hole by an unfortunate combination of source code pieces. On the other hand, it can also be based on targeted manipulation. However, this has essentially no effect on the further course of the lifeline of a security vulnerability. In the following, we assume that a security hole has been created and that it is now active in some software. These can be executable programs or libraries offered that are integrated into other software projects as a dependency.

March 25, 2021

11 Popular Penetration Testing Tools

Have you been searching for a penetration testing tool that would best serve your security testing requirements for web applications and networks? Do you want to compare and analyze different penetration testing tools and decide on which one(s) would be best suited for your enterprise? Or are you simply curious to know which tools are out there and what their features are?

If yes, then this blog has you covered.

December 19, 2020

Using Machine Learning for Static Analysis

In some ways, machine learning and AI systems are becoming a victim of their own success. While they are genuinely useful in many fields, particularly when it comes to marketing analysis and for cybersecurity, their utility in these fields means that some people have tried to use them for everything. That includes using machine learning systems to create static code analyzers for locating security vulnerabilities.

Some of these attempts have met with a modicum of success: Facebook, Amazon, and Mozilla all now offer some form of ML-driven static code analyzers. However, and as anyone who understands the fundamentals of machine learning will appreciate, these approaches also come with some inherent limitations.

November 13, 2020

What To Look For In Your Next SIEM Provider

Security information and event management (SIEM) software is a security information system that analyzes security alerts and data generated from devices on a network in real-time. It will act as a platform that efficiently collects and stores security data at a central point and then converts it into actionable intelligence. SIEM tooling has become highly relevant, especially if you have a deal with a data/security breach and you need to 'know' how and what happened in such a ‘cyber-security’ incident.

A SIEM tool can oversee this type of incident and improve the management of it by:

November 8, 2019

Analyzing Matio and STB_VORBIS Libraries With Mayhem

Let's go bug hunting

At ForAllSecure, our mission is to help developers find critical bugs in their software quicker, easier, and faster than standard development practices and tools. To facilitate this mission, we have looked to the open source world for exemplar software we can analyze with our fuzzer, Mayhem, in order to get a stronger sense of its effectiveness and ease of integration into existing projects.

This process has proven invaluable for ForAllSecure, providing hands-on experience in ingesting additional real-world software targeting a variety of environments and build systems and ensuring that the process is as streamlined as possible for new adopters.

June 28, 2019

5 Reasons You Need Composition Analysis, Especially for OSS

In this post, you will learn about software composition analysis (SCA). You will find out what software composition analysis is, why it is relevant, and five reasons you should use an SCA tool.

What Is Software Composition Analysis?

Software Composition Analysis (SCA) is an automated way to get visibility into all the components of an application. An SCA tool scans the source code of an application to provide an inventory of all its third-party, internal, and open source components, including libraries, operating systems, and frameworks.