July 25, 2017

Announcing SourceClear x Atlassian JIRA Cloud Integration

Posted By: Paul Ambrosini

At SourceClear we believe that security should be integrated into the application development workflow and that it shouldn’t slow down developers. We are committed to making it easier for security teams to collaborate with developers and we are pleased to announce SourceClear’s new Atlassian JIRA Cloud integration.

Read More →
July 13, 2017

New SVEs: Apache HttpClient, Undertow, Apache Hadoop Azure

Posted By: Vanessa Henderson, Jonathan Tan

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. In the last 2 weeks, the SourceClear R&D team released 36 vulnerabilities, 19 of these were SVEs. Let’s have a closer look into a few of these SVEs.

Read More →
July 4, 2017

A Case for Software Security by Mark Curphey

Posted By: Mark Curphey

I have been trying and failing to write a new book about software security for the last five years. It is needed because the way we build software today has changed so dramatically that previous great texts like Building Secure Software are no longer relevant. In the wake of Heartbleed, WannaCry, and 0-Day there has been a shift in the market to demand software security. In this shift, the modern enterprise needs a strategy to manage the risks of open-source software without adding friction to the development process. In this e-book, I argue that security automation needs to be an integral part of the company strategy at the highest levels to avoid data breaches and attacks. As the CEO of a startup, things like customers and product always come first and so without a clear path to completing the book and a fear of it rotting in my digital sock draw I thought it would be helpful to publish the introduction section first written in late 2015 as its own e-book. Below are synopses.

Read More →
June 29, 2017

New SVEs: Go - A Language with Many Unidentified Security Issues

Posted By: Vanessa Henderson, Jonathan Tan, Shaheen Ansari

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. Last week, the SourceClear R&D team released 36 vulnerabilities to the registry; of which, a whopping 32 were SVEs (89%), and 6 were CVEs. Out of the 32 SVEs, 24 SVEs (75%) were Go vulnerabilities identified in libraries. While the Go scanning feature is still currently in early access at SourceClear, users can still explore Go vulnerabilities through the Registry. Read More →
June 21, 2017

New SVEs: Vulnerabilities Never Die

Posted By: Shaheen Ansari, Jonathan Tan, Vanessa Henderson

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. Out of the 20 vulnerabilities we have released this week, 15 are SVEs (that’s a whopping 75%!). While we’re thrilled to find these vulnerabilities to add to our database, we have found that the same vulnerabilities make their way into developers’ code over and over. Vulnerabilities never appear just once or twice and then disappear; they appear month after month as they are discovered in new packages. Today we will look at two of these repeat attacks, found in popular, actively maintained code bases. Without further ado, let’s have a look at directory traversal attacks and downloading sources over insecure protocols.

Read More →
June 15, 2017

Towards a better risk score for open source security

Posted By: Yaqin Zhou and Asankhaya Sharma

You already know that SourceClear provides robust vulnerability detection to protect your code and your customers. However, when you’re overseeing multiple projects, it can be a challenge to know where to prioritize your resources. Even if you have just one project, you may want to know how that project stacks up against similar projects by other developers. That’s where our new project risk score comes in.

Our scoring mechanism calculates a score between 0 and 100 for every project based on the number of high, medium, and low risk vulnerabilities in that project. It indicates how risky the project is compared to all the other scanned projects in the SourceClear platform. You can see this project score on each Project Details page. Knowing this risk score for your projects helps you decide which projects to focus efforts on first.

This blog post describes how the distribution of vulnerabilities in open source is used as a basis to compute the score.

Read More →
May 29, 2017

New SVEs: Watch out for Vulnerabilities in AngularJS, Apache Atlas, and Apache Hive

Posted By: Ang Ming Yi & Asankhaya Sharma

Last week, we introduced a blog series highlighting new SVEs we discover on a weekly basis. In the second post of the series, we highlight three vulnerabilities that were undiscovered until recently, including two reserved CVEs and one SVE (not yet publicly known at the time of writing). In the month of May, 216 (62.7%) of the SourceClear Vulnerabilities and Exposures (SVEs) were added to the SourceClear Registry. These vulnerabilities often go unreported, and are obscured by several other feature updates. In this blog post, we will cover SVEs across popular frameworks and libraries such as AngularJS, Apache Hive, and Apache Atlas.

Read More →
May 25, 2017

Un-patched for months, could Cisco 0-day lead to another round of WannaCry? - SourceClear

Posted By: Ming Yi Ang & Asankhaya Sharma

For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that; we even wrote a post about how WannaCry-like ransomware can attack enterprise applications. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences that altered their eventual impact and scale. We reiterate that both could have been avoided with some simple remediation steps.

Read More →