May 22, 2017

Introducing New Vulnerabilities (SVE) Discoveries: Nokogiri Gem, Eclipse Jetty, and XSS in Semantic-UI

Posted By: Vanessa Henderson & Asankhaya Sharma

The National Vulnerability Database (NVD) and the CVE system that most companies rely on is notoriously inadequate for reporting and tracking vulnerabilities in open-source libraries. Most vulnerabilities in open-source code never see daylight as CVEs and those that do are often exploited in the wild before being made public. Frustrated by this poor data, we have built the largest database of open-source libraries and vulnerabilities called the Registry. We track commit messages, bug reports, mailing lists, security forums, websites, twitter feeds, pastebins, etc. and feed it into our machine learning system to discover security issues that are missed by everyone else. In the early days, we called these wild vulnerabilities ‘Half-Days’; today, we call these SourceClear Vulnerabilities and Exposures (SVEs). To date, over 60% of the data in the Registry consist of SVEs, and typically 90% of the SVEs we add have no CVE at the time of entry. This month alone, we’ve added 204 SVEs.

That’s why we’re introducing a blog series focused on new SVEs we discover on a weekly basis, so you can keep up to date on the latest and greatest vulnerabilities lurking in your applications. Eventually, you’ll be able to subscribe to an SVE only mailing list and Slack channel. Stay tuned for these.

In this post, we’ll be introducing three new SVEs added within the last week: Nokogiri gem, Eclipse Jetty, and XSS in Semantic-UI.

May 17, 2017
Join Us - Security Research Director Opportunity

Posted By: Mark Curphey

May 15, 2017
When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

Posted By: Asankhaya Sharma, Mark Curphey

April 20, 2017

Cutting down on false positives with vulnerable methods for Ruby

Posted By: Pritesh Mehta & Asankhaya Sharma

Today we released vulnerable methods support for the Ruby language, adding to the existing support for Java and Python. Vulnerable methods analysis uses call-graph analysis to trace the actual use of the vulnerability in your projects. To understand the impact that vulnerable method support can have, we analyzed the top 1,000 starred Ruby projects on GitHub, and discovered that without vulnerable method detection, users would see a false-positive state of more than 85%! With vulnerable methods detection, users would see these false-positive rates decrease significantly. To get this feature, paid users can simply update their agents (i.e. brew upgrade srcclr) and free users can upgrade to a Pro trial.

April 17, 2017

Why Continuous Security is the Next Application Security Movement

Posted By: Mark Curphey

Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of a necessary means to an end rather than the ideal. In today’s world of DevOps and Continuous Delivery it is just plain obsolete.

April 17, 2017

SourceClear scanning now supports SBT, CocoaPods and Yarn projects

Posted By: Hendy Chua & Pritesh Mehta

Today we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).

March 20, 2017

Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

Posted By: Ang Ming Yi and Mark Curphey

Four weeks ago, we blogged about the issue with Rails’ built-in anti-CSRF mechanism, protect_from_forgery, where we calculated that over 50,000 Ruby developers were impacted by Cross-site Request Forgery (CSRF) attacks.

March 6, 2017

Monocultures and security - Stormy times ahead

Posted By: Mark Curphey

In the 1990’s we saw viruses and worms proliferate across the Windows platform until the problem became so bad that Bill Gates had to stop shipping and fundamentally change the way Microsoft built software.

February 22, 2017

Over 50,000 Ruby developers impacted by CSRF attacks

Posted By: Ang Ming Yi, Darius Foo, Jason Yeo

There’s been some buzz recently about protect_from_forgery, Rails’ built-in anti-CSRF mechanism, and how it’s not secure by default. Having found, evaluated, disclosed, and tried to fix issues with it in the past, we decided to perform a thorough evaluation of how severe the problem was.

January 30, 2017

Authentication Updates

Posted By: Alex Ethier

We’re pleased to announce the release of two important authentication features