June 21, 2017

New SVEs: Vulnerabilities Never Die

Posted By: Shaheen Ansari, Jonathan Tan, Vanessa Henderson

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. Out of the 20 vulnerabilities we have released this week, 15 are SVEs (that’s a whopping 75%!). While we’re thrilled to find these vulnerabilities to add to our database, we have found that the same vulnerabilities make their way into developers’ code over and over. Vulnerabilities never appear just once or twice and then disappear; they appear month after month as they are discovered in new packages. Today we will look at two of these repeat attacks, found in popular, actively maintained code bases. Without further ado, let’s have a look at directory traversal attacks and downloading sources over insecure protocols.

June 15, 2017
Towards a better risk score for open source security

Posted By: Yaqin Zhou and Asankhaya Sharma

May 25, 2017

Un-patched for months, could Cisco 0-day lead to another round of WannaCry? - SourceClear

Posted By: Ming Yi Ang & Asankhaya Sharma

For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that; we even wrote a post about how WannaCry-like ransomware can attack enterprise applications. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences that altered their eventual impact and scale. We reiterate that both could have been avoided with some simple remediation steps.

May 22, 2017

Introducing New Vulnerabilities (SVE) Discoveries: Nokogiri Gem, Eclipse Jetty, and XSS in Semantic-UI

Posted By: Vanessa Henderson & Asankhaya Sharma

The National Vulnerability Database (NVD) and the CVE system that most companies rely on is notoriously inadequate for reporting and tracking vulnerabilities in open-source libraries. Most vulnerabilities in open-source code never see daylight as CVEs and those that do are often exploited in the wild before being made public. Frustrated by this poor data, we have built the largest database of open-source libraries and vulnerabilities called the Registry. We track commit messages, bug reports, mailing lists, security forums, websites, twitter feeds, pastebins, etc. and feed it into our machine learning system to discover security issues that are missed by everyone else. In the early days, we called these wild vulnerabilities ‘Half-Days’; today, we call these SourceClear Vulnerabilities and Exposures (SVEs). To date, over 60% of the data in the Registry consist of SVEs, and typically 90% of the SVEs we add have no CVE at the time of entry. This month alone, we’ve added 204 SVEs.

That’s why we’re introducing a blog series focused on new SVEs we discover on a weekly basis, so you can keep up to date on the latest and greatest vulnerabilities lurking in your applications. Eventually, you’ll be able to subscribe to an SVE only mailing list and Slack channel. Stay tuned for these.

In this post, we’ll be introducing three new SVEs added within the last week: Nokogiri gem, Eclipse Jetty, and XSS in Semantic-UI.

May 17, 2017

Join Us - Security Research Director Opportunity

Posted By: Mark Curphey

As a company we are placing a “big bet” on building and maintaining the world’s biggest and best knowledge base of security issues in open-source code. Our vision goes way beyond old school thinking of being the best at cataloging public vulnerabilities. We are building technology, infrastructure and a domain specific language called the Security Graph Language (SGL) to expose a range of security issues at scale, applying cutting edge data-science and machine learning techniques.

May 15, 2017

When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

Posted By: Asankhaya Sharma, Mark Curphey

Unless you have been living under a rock you have heard all about the WannaCry ransomware. At SourceClear, we believe this week’s attacks were a preview of what could happen when (not if) ransomware moves from small-value targets (consumer desktops) to large-value targets (enterprise web applications). It’s where the big money is. This blog post demonstrates the technical feasibility with a working sample for the latest version of the Java Spring Framework. It’s not any one framework that’s vulnerable but the open-source ecosystem - we also have working examples for Apache Struts, Node.js, Ruby or many others.

April 20, 2017

Cutting down on false positives with vulnerable methods for Ruby

Posted By: Pritesh Mehta & Asankhaya Sharma

Today we released vulnerable methods support for the Ruby language, adding to the existing support for Java and Python. Vulnerable methods analysis uses call-graph analysis to trace the actual use of the vulnerability in your projects. To understand the impact that vulnerable method support can have, we analyzed the top 1,000 starred Ruby projects on GitHub, and discovered that without vulnerable method detection, users would see a false-positive state of more than 85%! With vulnerable methods detection, users would see these false-positive rates decrease significantly. To get this feature, paid users can simply update their agents (i.e. brew upgrade srcclr) and free users can upgrade to a Pro trial.

April 17, 2017

Why Continuous Security is the Next Application Security Movement

Posted By: Mark Curphey

Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of a necessary means to an end rather than the ideal. In today’s world of DevOps and Continuous Delivery it is just plain obsolete.

April 17, 2017

SourceClear scanning now supports SBT, CocoaPods and Yarn projects

Posted By: Hendy Chua & Pritesh Mehta

Today we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).