August 17, 2017

Exposing External XML Entity Attacks in Android IntelliJ Plugin

Posted By: Vanessa Henderson

IntelliJ is an IDE that a lot of developers know and love. Not only does it provide an intuitive UI but it also gives us plugins for all the languages we love – including Android. One of our astute engineers was building the Android IntelliJ plugin when a commit message flicked past and caught his eye. The commit mentioned details on fixing an XXE vulnerability! Oh no! What exactly are XXE attacks, how do they affect IntelliJ, and what can I do about them? Lets dive deeper.

Read More →
August 9, 2017
Diving into Directory Traversal Vulnerabilities in Open-Source

Posted By: Vanessa Henderson, Shaheen Ansari

Read More →
August 3, 2017
Open-source Packages with Malicious Intent

Posted By: Vanessa Henderson, Ming Yi

Read More →
July 31, 2017

Announcing SourceClear's Library Catalog

Posted By: Paul Ambrosini

Managing the risks associated with open source libraries requires knowing and controlling what goes in your applications. We’re excited to announce the release of SourceClear’s Library Catalog which lets you manage a list of approved libraries and share it with developers.

Different open source libraries have different risk profiles and even within a given library, not all versions of this library have the same risk profile. For this reason, it’s important to take some time and evaluate libraries before using them in your applications. Many of you told us about the pain caused by managing and sharing spreadsheets of approved libraries. We listened and are pleased to report that you won’t be needing these spreadsheets anymore!

Read More →
July 27, 2017

New SVEs: Minio, Marked, Rails

Posted By: Vanessa Henderson, Jonathan Tan

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. In the last week, the SourceClear R&D team released 25 vulnerabilities, 6 of these were SVEs. Let’s have a closer look into a few of these SVEs.

Read More →
July 25, 2017

Announcing SourceClear x Atlassian JIRA Cloud Integration

Posted By: Paul Ambrosini

At SourceClear we believe that security should be integrated into the application development workflow and that it shouldn’t slow down developers. We are committed to making it easier for security teams to collaborate with developers and we are pleased to announce SourceClear’s new Atlassian JIRA Cloud integration.

Read More →
July 19, 2017

New SVEs: Summernote, Multiple NPM Packages

Posted By: Vanessa Henderson, Jonathan Tan

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. In the last 2 weeks, the SourceClear R&D team released 11 vulnerabilities, 2 of these were SVEs. Let’s have a closer look into a few of these SVEs.

Read More →
July 18, 2017

Adopting and Reducing Challenges of Content Security Policy (CSP) with Sentry

Posted By: Geller Bedoya

In 2012, the W3C Web Application Security Working Group began a draft on Content Security Policy (CSP). The proposal was developed by two engineers from Mozilla and Google with the intent to mitigate the risk of injected code, reduce privileges of running scripts (or plugins) and detect exploitation of code injection through violation monitoring. Along the way, adoption challenges surfaced as well as common deployment mistakes and bypasses. At the moment, CSP Level 3 is being drafted. Read More →
July 13, 2017

New SVEs: Apache HttpClient, Undertow, Apache Hadoop Azure

Posted By: Vanessa Henderson, Jonathan Tan

Welcome back to the series highlighting new SourceClear Vulnerabilities and Exposures (SVEs) we discover on a weekly basis. In the last 2 weeks, the SourceClear R&D team released 36 vulnerabilities, 19 of these were SVEs. Let’s have a closer look into a few of these SVEs.

Read More →
July 4, 2017

A Case for Software Security by Mark Curphey

Posted By: Mark Curphey

I have been trying and failing to write a new book about software security for the last five years. It is needed because the way we build software today has changed so dramatically that previous great texts like Building Secure Software are no longer relevant. In the wake of Heartbleed, WannaCry, and 0-Day there has been a shift in the market to demand software security. In this shift, the modern enterprise needs a strategy to manage the risks of open-source software without adding friction to the development process. In this e-book, I argue that security automation needs to be an integral part of the company strategy at the highest levels to avoid data breaches and attacks. As the CEO of a startup, things like customers and product always come first and so without a clear path to completing the book and a fear of it rotting in my digital sock draw I thought it would be helpful to publish the introduction section first written in late 2015 as its own e-book. Below are synopses.

Read More →