June 29, 2017

New SVEs: Go - A Language with Many Unidentified Security Issues

Posted By: Vanessa Henderson, Jonathan Tan, Shaheen Ansari

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. Last week, the SourceClear R&D team released 36 vulnerabilities to the registry; of which, a whopping 32 were SVEs (89%), and 6 were CVEs. Out of the 32 SVEs, 24 SVEs (75%) were Go vulnerabilities identified in libraries. While the Go scanning feature is still currently in early access at SourceClear, users can still explore Go vulnerabilities through the Registry.
Read More →
June 21, 2017
New SVEs: Vulnerabilities Never Die

Posted By: Shaheen Ansari, Jonathan Tan, Vanessa Henderson

Read More →
June 15, 2017
Towards a better risk score for open source security

Posted By: Yaqin Zhou and Asankhaya Sharma

Read More →
May 29, 2017

New SVEs: Watch out for Vulnerabilities in AngularJS, Apache Atlas, and Apache Hive

Posted By: Ang Ming Yi & Asankhaya Sharma

Last week, we introduced a blog series highlighting new SVEs we discover on a weekly basis. In the second post of the series, we highlight three vulnerabilities that were undiscovered until recently, including two reserved CVEs and one SVE (not yet publicly known at the time of writing). In the month of May, 216 (62.7%) of the SourceClear Vulnerabilities and Exposures (SVEs) were added to the SourceClear Registry. These vulnerabilities often go unreported, and are obscured by several other feature updates. In this blog post, we will cover SVEs across popular frameworks and libraries such as AngularJS, Apache Hive, and Apache Atlas.

Read More →
May 25, 2017

Un-patched for months, could Cisco 0-day lead to another round of WannaCry? - SourceClear

Posted By: Ming Yi Ang & Asankhaya Sharma

For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that; we even wrote a post about how WannaCry-like ransomware can attack enterprise applications. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences that altered their eventual impact and scale. We reiterate that both could have been avoided with some simple remediation steps.

Read More →
May 22, 2017

Introducing New Vulnerabilities (SVE) Discoveries: Nokogiri Gem, Eclipse Jetty, and XSS in Semantic-UI

Posted By: Vanessa Henderson & Asankhaya Sharma

The National Vulnerability Database (NVD) and the CVE system that most companies rely on is notoriously inadequate for reporting and tracking vulnerabilities in open-source libraries. Most vulnerabilities in open-source code never see daylight as CVEs and those that do are often exploited in the wild before being made public. Frustrated by this poor data, we have built the largest database of open-source libraries and vulnerabilities called the Registry. We track commit messages, bug reports, mailing lists, security forums, websites, twitter feeds, pastebins, etc. and feed it into our machine learning system to discover security issues that are missed by everyone else. In the early days, we called these wild vulnerabilities ‘Half-Days’; today, we call these SourceClear Vulnerabilities and Exposures (SVEs). To date, over 60% of the data in the Registry consist of SVEs, and typically 90% of the SVEs we add have no CVE at the time of entry. This month alone, we’ve added 204 SVEs.

That’s why we’re introducing a blog series focused on new SVEs we discover on a weekly basis, so you can keep up to date on the latest and greatest vulnerabilities lurking in your applications. Eventually, you’ll be able to subscribe to an SVE only mailing list and Slack channel. Stay tuned for these.

In this post, we’ll be introducing three new SVEs added within the last week: Nokogiri gem, Eclipse Jetty, and XSS in Semantic-UI.

Read More →
May 17, 2017

Join Us - Security Research Director Opportunity

Posted By: Mark Curphey

As a company we are placing a “big bet” on building and maintaining the world’s biggest and best knowledge base of security issues in open-source code. Our vision goes way beyond old school thinking of being the best at cataloging public vulnerabilities. We are building technology, infrastructure and a domain specific language called the Security Graph Language (SGL) to expose a range of security issues at scale, applying cutting edge data-science and machine learning techniques.

Read More →
May 15, 2017

When Will WannaCry Style Ransomware Hit Enterprise Java Web Apps?

Posted By: Asankhaya Sharma, Mark Curphey

Unless you have been living under a rock you have heard all about the WannaCry ransomware. At SourceClear, we believe this week’s attacks were a preview of what could happen when (not if) ransomware moves from small-value targets (consumer desktops) to large-value targets (enterprise web applications). It’s where the big money is. This blog post demonstrates the technical feasibility with a working sample for the latest version of the Java Spring Framework. It’s not any one framework that’s vulnerable but the open-source ecosystem - we also have working examples for Apache Struts, Node.js, Ruby or many others.

Read More →
April 20, 2017

Cutting down on false positives with vulnerable methods for Ruby

Posted By: Pritesh Mehta & Asankhaya Sharma

Today we released vulnerable methods support for the Ruby language, adding to the existing support for Java and Python. Vulnerable methods analysis uses call-graph analysis to trace the actual use of the vulnerability in your projects. To understand the impact that vulnerable method support can have, we analyzed the top 1,000 starred Ruby projects on GitHub, and discovered that without vulnerable method detection, users would see a false-positive state of more than 85%! With vulnerable methods detection, users would see these false-positive rates decrease significantly. To get this feature, paid users can simply update their agents (i.e. brew upgrade srcclr) and free users can upgrade to a Pro trial.

Read More →
April 17, 2017

Why Continuous Security is the Next Application Security Movement

Posted By: Mark Curphey

Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of a necessary means to an end rather than the ideal. In today’s world of DevOps and Continuous Delivery it is just plain obsolete.

Read More →