The Equifax Hack & the Apache Struts Vulnerability What all companies need to know and do to prevent them from becoming the next Equifax Read More»
September 21, 2017

The Seven Deadly Sins of Open-Source Libraries

Posted By: Mark Curphey

There are at least seven types of open-source library vulnerabilities that we should all be extremely concerned about. Before describing them it is worth reiterating that simply linking to a vulnerable library in your project doesn’t mean your application will have a vulnerability. That’s FUD. You will only have a vulnerability if you are using the vulnerable methods of the vulnerable library in a vulnerable manner. This is important. To know this for sure you need to look at the call-graph of your application and see if there is a call-chain to the vulnerable method in the dependency graph. Listing vulnerable libraries is easy but actually determining a vulnerability is hard.

Read More →
September 20, 2017
Analyzing Apache Struts Vulnerabilities Using SGL

Posted By: Darius Foo and Asankhaya Sharma

Read More →
September 14, 2017
Equifax - The morning after the night before

Posted By: Vanessa Henderson

Read More →
September 11, 2017

The Equifax Hack: What all companies need to know and do to prevent it from happening to them

Posted By: Mark Curphey

The Facts - On September 7th Equifax announced that hackers breached their systems. According to their information site the breach occurred in mid-May and became known to Equifax on July 29th. In the days following the announcement, Equifax’s stock fell over 13%, a congressional hearing was ordered and a class-action lawsuit formed for the people affected. Fortune describes the hack as “…the most economically damaging hack in U.S. history”. Read More →
September 11, 2017

After The Equifax Hack We Examined the Latest Apache Struts Code

Posted By: Mark Curphey

In light of the recent news that the Equifax hack was a result of an old version of Apache Struts being exploited, we analyzed the latest code from Apache Struts with SourceClear. The code we analyzed can be found at https://github.com/apache/struts. At the time of analysis the code was last updated on Sept 6th at 11:28 am in this commit, updating the pom.xml file to upgrade the Log4J library. Read More →
September 6, 2017

Announcing PHP Language Support

Posted By: Suchi Deshpande

We are proud to announce that we are adding language support for PHP. You can now scan your PHP projects and identify vulnerable libraries. We currently support the Composer package manager.

Read More →
August 31, 2017

Delving into the four recent RubyGems vulnerabilities

Posted By: Vanessa Henderson

A few days ago, a blog was released by RubyLang and RubyGems stating that they had fixed multiple vulnerabilities.

The four vulnerabilities that were found are described as follows:

1. a DNS request hijacking vulnerability
2. an ANSI escape sequence vulnerability
3. a denial of service vulnerability in the query command
4. an arbitrary file overwrite while installing a gem

Lets break these vulnerabilities down into attack types, potential impact and how they fixed the issue.

Read More →
August 29, 2017

SGL: Mapping the open-source genome for fun and profit

Posted By: Mark Curphey and Dr. Asankhaya Sharma

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then reporting potential issues found to a central vulnerability database in the form of textual descriptions. If accepted (after some basic validation) the report is re-published to the world as a CVE. While the intent of discovering issues in an ad-hoc manner and maintaining a public database of vulnerabilities comes from a genuine and good place, it’s simply fraught with fundamental problems when dealing with open-source code, including a lack of precision and accuracy of the findings, the inability to understand dynamic global dependency relationships and the inability to surface related vulnerabilities in other pieces of code. Read More →
August 29, 2017

Announcing Go Language Support

Posted By: Paul Ambrosini

At the time Golang (Go) was released in 2009 only a handful of developers were using it to build applications. It has been gaining momentum ever since. Today, startups and large enterprises alike depend on Go. Many of today’s most popular developer tools are written in Go, such as Docker and Kubernetes.

We are proud to announce that we are extending language support to Go. Now you can scan your Go projects and identify vulnerabilities. We currently support the following package managers: Glide, Trash, Govendor, Godep, and go get.

Read More →
August 23, 2017

SourceClear Announces First of its Kind Domain-Specific Language to Identify Open-Source Vulnerabilities

Posted By: SourceClear

New Security Graph Language empowers security researchers and the next generation of code analysis tools to uncover security issues in open-source code in real-time.

Read More →

Ready To Start with SourceClear?

Schedule a Demo

Get Email Alerts