Posted By: Vanessa Henderson, Jonathan Tan
Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. In the last 2 weeks, the SourceClear R&D team released 11 vulnerabilities, 2 of these were SVEs. Let’s have a closer look into a few of these SVEs.
Posted By: Geller BedoyaRead More →
Posted By: Vanessa Henderson, Jonathan TanRead More →
Posted By: Mark Curphey
I have been trying and failing to write a new book about software security for the last five years. It is needed because the way we build software today has changed so dramatically that previous great texts like Building Secure Software are no longer relevant. In the wake of Heartbleed, WannaCry, and 0-Day there has been a shift in the market to demand software security. In this shift, the modern enterprise needs a strategy to manage the risks of open-source software without adding friction to the development process. In this e-book, I argue that security automation needs to be an integral part of the company strategy at the highest levels to avoid data breaches and attacks. As the CEO of a startup, things like customers and product always come first and so without a clear path to completing the book and a fear of it rotting in my digital sock draw I thought it would be helpful to publish the introduction section first written in late 2015 as its own e-book. Below are synopses.Read More →
Posted By: Vanessa Henderson, Jonathan Tan, Shaheen Ansari
Posted By: Shaheen Ansari, Jonathan Tan, Vanessa Henderson
Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. Out of the 20 vulnerabilities we have released this week, 15 are SVEs (that’s a whopping 75%!). While we’re thrilled to find these vulnerabilities to add to our database, we have found that the same vulnerabilities make their way into developers’ code over and over. Vulnerabilities never appear just once or twice and then disappear; they appear month after month as they are discovered in new packages. Today we will look at two of these repeat attacks, found in popular, actively maintained code bases. Without further ado, let’s have a look at directory traversal attacks and downloading sources over insecure protocols.Read More →
Posted By: Yaqin Zhou and Asankhaya Sharma
You already know that SourceClear provides robust vulnerability detection to protect your code and your customers. However, when you’re overseeing multiple projects, it can be a challenge to know where to prioritize your resources. Even if you have just one project, you may want to know how that project stacks up against similar projects by other developers. That’s where our new project risk score comes in.
Our scoring mechanism calculates a score between 0 and 100 for every project based on the number of high, medium, and low risk vulnerabilities in that project. It indicates how risky the project is compared to all the other scanned projects in the SourceClear platform. You can see this project score on each Project Details page. Knowing this risk score for your projects helps you decide which projects to focus efforts on first.
This blog post describes how the distribution of vulnerabilities in open source is used as a basis to compute the score.Read More →
Posted By: Ang Ming Yi & Asankhaya Sharma
Last week, we introduced a blog series highlighting new SVEs we discover on a weekly basis. In the second post of the series, we highlight three vulnerabilities that were undiscovered until recently, including two reserved CVEs and one SVE (not yet publicly known at the time of writing). In the month of May, 216 (62.7%) of the SourceClear Vulnerabilities and Exposures (SVEs) were added to the SourceClear Registry. These vulnerabilities often go unreported, and are obscured by several other feature updates. In this blog post, we will cover SVEs across popular frameworks and libraries such as AngularJS, Apache Hive, and Apache Atlas.Read More →
Posted By: Ming Yi Ang & Asankhaya Sharma
For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that; we even wrote a post about how WannaCry-like ransomware can attack enterprise applications. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences that altered their eventual impact and scale. We reiterate that both could have been avoided with some simple remediation steps.Read More →
Posted By: Vanessa Henderson & Asankhaya Sharma
The National Vulnerability Database (NVD) and the CVE system that most companies rely on is notoriously inadequate for reporting and tracking vulnerabilities in open-source libraries. Most vulnerabilities in open-source code never see daylight as CVEs and those that do are often exploited in the wild before being made public. Frustrated by this poor data, we have built the largest database of open-source libraries and vulnerabilities called the Registry. We track commit messages, bug reports, mailing lists, security forums, websites, twitter feeds, pastebins, etc. and feed it into our machine learning system to discover security issues that are missed by everyone else. In the early days, we called these wild vulnerabilities ‘Half-Days’; today, we call these SourceClear Vulnerabilities and Exposures (SVEs). To date, over 60% of the data in the Registry consist of SVEs, and typically 90% of the SVEs we add have no CVE at the time of entry. This month alone, we’ve added 204 SVEs.
That’s why we’re introducing a blog series focused on new SVEs we discover on a weekly basis, so you can keep up to date on the latest and greatest vulnerabilities lurking in your applications. Eventually, you’ll be able to subscribe to an SVE only mailing list and Slack channel. Stay tuned for these.
In this post, we’ll be introducing three new SVEs added within the last week: Nokogiri gem, Eclipse Jetty, and XSS in Semantic-UI.Read More →