May 17, 2017

Join Us - Security Research Director Opportunity

Posted By: Mark Curphey

As a company we are placing a “big bet” on building and maintaining the world’s biggest and best knowledge base of security issues in open-source code. Our vision goes way beyond old school thinking of being the best at cataloging public vulnerabilities. We are building technology, infrastructure and a domain specific language called the Security Graph Language (SGL) to expose a range of security issues at scale, applying cutting edge data-science and machine learning techniques.

May 15, 2017
When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

Posted By: Asankhaya Sharma, Mark Curphey

April 20, 2017
Cutting down on false positives with vulnerable methods for Ruby

Posted By: Pritesh Mehta & Asankhaya Sharma

April 17, 2017

Why Continuous Security is the Next Application Security Movement

Posted By: Mark Curphey

Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of a necessary means to an end rather than the ideal. In today’s world of DevOps and Continuous Delivery it is just plain obsolete.

April 17, 2017

SourceClear scanning now supports SBT, CocoaPods and Yarn projects

Posted By: Hendy Chua & Pritesh Mehta

Today we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).

March 20, 2017

Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

Posted By: Ang Ming Yi and Mark Curphey

Four weeks ago, we blogged about the issue with Rails’ built-in anti-CSRF mechanism, protect_from_forgery, where we calculated that over 50,000 Ruby developers were impacted by Cross-site Request Forgery (CSRF) attacks.

March 6, 2017

Monocultures and security - Stormy times ahead

Posted By: Mark Curphey

In the 1990’s we saw viruses and worms proliferate across the Windows platform until the problem became so bad that Bill Gates had to stop shipping and fundamentally change the way Microsoft built software.

February 22, 2017

Over 50,000 Ruby developers impacted by CSRF attacks

Posted By: Ang Ming Yi, Darius Foo, Jason Yeo

There’s been some buzz recently about protect_from_forgery, Rails’ built-in anti-CSRF mechanism, and how it’s not secure by default. Having found, evaluated, disclosed, and tried to fix issues with it in the past, we decided to perform a thorough evaluation of how severe the problem was.

January 30, 2017

Authentication Updates

Posted By: Alex Ethier

We’re pleased to announce the release of two important authentication features

January 16, 2017

Millions of program builds vulnerable to Man-in-the-Middle attacks

Posted By: Ming

According to a blog post made on 18f, it is a standard to ensure all federal websites and web services to serve only via secured connections (HTTPS). Yet in its recent study, about 6.1% of the domains do not have HTTPS enabled. Package managers have, in the past, deprecate certain commands/features that defaults to HTTP. RubyGems has deprecated source :rubygems in Gemfile due to the insecurity of HTTP, and recommends the explicit use of HTTPS.

In this post, we will highlight the issues of insecure network connection(s) made by open-source libraries during build time. Also, we introduce an open-source monitoring tool, Build Inspector, that can be used to detect insecure network traffic made during the build process. Finally, we analyze the number of affected builds from a sample pool of open-source repositories.