The SourceClear Blog

Rails_admin Vulnerability Disclosure

Posted By: Jason Yeo
December 25, 2016

A few days ago, I found a CSRF vulnerability in rails_admin. rails_admin is a Ruby gem that generates administrative interfaces for your models automatically. Interestingly, this vulnerability is similar in nature to the one I found in administrate, a similar gem. Additionally, past Ruby gems affected in a similar fashion can be explored at this link.

The Ransomware in our Dependencies

Posted By: Darius Foo & Steve Ng
November 30, 2016

Ransomware is a growing pernicious threat. Some ransomeware called ‘Locky’ was recently discovered spreading through Facebook Messenger, and just last weekend San Francisco’s light-rail system was compromised by ransomware. Today we’ll take an in-depth look at how ransomware can target developers, proliferating through library dependencies.

The biggest SourceClear release yet!

Posted By: Brian Doll
November 21, 2016

We’ve got a present for you this week. This is the biggest release of SourceClear since we launched, and we can’t wait for you to dive in. Thanks to everyone who’s ideas and feedback have helped shape this release, and a special thank you to all of our beta testers who have shown us how crucial SourceClear is in helping teams build secure software.

Abusing npm libraries for data exfiltration

Posted By: Asankhaya Sharma
November 11, 2016

Package and dependency managers like npm allow command execution as part of the build process. Command execution provides an easy and convenient mechanism for developers to script tasks during the build. For instance, npm allows developers to use pre-install and post-install hooks to execute tasks. A pre-install hook can be used to compile some dependent native library before starting the build. A post-install hook can be used for clean up after the build.

Build Inspector - A forensic sandbox for Continuous Integration environments

Posted By: Brian Doll
November 10, 2016

Don’t trust user input. That’s a core security tenet for building secure software. In our web applications we sanitize text input to protect against XSS, and verify uploaded files are free of malware. But what happens when you take user-submitted software and execute whatever it tells you to do? That’s essentially what Continuous Integration environments are made for. If the tests say to count to 10, the system counts to 10. If it says to download software and start mining for Bitcoin, that’s exactly what it’ll do.

A deep dive into analyzing dynamic languages

Posted By: Darius Foo & Asankhaya Sharma
November 08, 2016

Analyzing programs written in dynamic languages presents some unique challenges. Here’s a bit of a deep dive into how we do it. First, what exactly is a dynamic language? For the purposes of this article, we will define a dynamic language as one where types are checked for safety only at runtime. Languages like Ruby, Python, and JavaScript follow this model, in contrast with static languages like Java and C#, where type safety is ensured at compile time.

A look at Vulnerabilities and Dependencies by Language

Posted By: Brian Wallace
October 25, 2016

As a Data Scientist at SourceClear I get to analyze lots of interesting vulnerability data as well as anonymized project data. New customers often ask us what “normal” looks like when it comes to vulnerabilities in their projects, so I thought I’d take a look and share a few insights.

Secure Continuous Delivery with SourceClear

Posted By: Brian Doll
October 12, 2016

Continuous Delivery is all about speed. Think fast, build fast, ship fast. But how do you ensure your software is safe when you’re so focused on speed?

SourceClear brings Secure Continuous Delivery to the Atlassian Stack

Posted By: Brian Doll
October 11, 2016

Today we’re thrilled to announce that SourceClear is bringing automated security analysis to millions of developers building software with the Atlassian Stack. Continuous Delivery, Secured.

Comparing vulnerable methods with static analysis

Posted By: Darius Foo & Asankhaya Sharma
October 03, 2016

In this blog post, we will talk a bit about traditional static analysis - what it is, what it’s used for, and where our vulnerable methods analysis fits in amongst the other kinds of static analysis.

Page 1 of 21 >