<img height="1" width="1" style="display:none;" alt="" src="https://analytics.twitter.com/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0"> <img height="1" width="1" style="display:none;" alt="" src="//t.co/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0">

Web Application Security Blog

The Struts Saga Continues: Groundhog Day All Over Again

POSTED BY  Zaid Al Hamami on Mar 23, 2017
Mar 23 2017

In a previous blog post I talked about the Struts CVE (CVE-2017-5638) that’s affecting much of the Java Web App world these days. A security engineer at IMMUNIO provided his technical perspective as well.

Continue Reading ›

TOPICS     Vulnerabilities  WAF vs. RASP  RASP  Web Application Security

Will it Pwn CVE-2017-5638: Remote Code Execution in Apache Struts 2?

POSTED BY  Ajin Abraham on Mar 13, 2017
Mar 13 2017

A few days back Nike Zheng reported a Remote Code Execution vulnerability in Apache Struts2. The vulnerability exploits a bug in Jakarta's Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type...

Continue Reading ›

TOPICS     Vulnerabilities  RASP  Web Application Security

CVE-2017-5638 - Groundhog Day

POSTED BY  Zaid Al Hamami on Mar 09, 2017
Mar 09 2017

Its one of those weeks. A new, big impact-low effort CVE (CVE-2017-5638). This time it is Java Struts apps. Specifically ones using the Jakarta Multi-Part parser. Again, it is one of those “malformed input in ways no one expected gives me powers...

Continue Reading ›

TOPICS     Vulnerabilities  Application Security  DevOps

Using RASP to Make Bug Bounty Programs More Efficient

POSTED BY  Mike Milner on Feb 16, 2017
Feb 16 2017

Bug bounty programs have gained popularity throughout the tech industry, cropping up at tech giants such as Facebook, Google, and more recently Apple. The programs effectively crowdsource manual penetration testing (pen testing), allowing users...

Continue Reading ›

TOPICS     RASP

Why Target the Application Layer

POSTED BY  Mike Milner on Feb 14, 2017
Feb 14 2017

When most of us think of applications, we think of the various programs we have downloaded to our smartphones. We interact and make requests of these programs to perform whatever function we need. These requests often, if not always, require the...

Continue Reading ›

TOPICS     Application Security

Improve Productivity Across Your Organization with RASP

POSTED BY  Richard April on Feb 09, 2017
Feb 09 2017

Every innovation today revolves around streamlining. We seek the fastest way to get from point A to point B, the fastest way to shop, pay, interact with each other and with other devices, etc. People simply do not have the time to spend that they...

Continue Reading ›

TOPICS     RASP

Why Signature Based Security is Only the First Step

POSTED BY  Richard April on Feb 07, 2017
Feb 07 2017

Think of the security infrastructure of your application as its doctor. When working properly, it diagnoses threats to your system and prescribes the right course of action to keep that threat from infecting your application - much the way your...

Continue Reading ›

TOPICS     AppSec Tools  WAF vs. RASP

How External Dependencies Put Your Apps at Risk

POSTED BY  Mike Milner on Feb 02, 2017
Feb 02 2017

Web applications are complex. Only a tiny part of any web app is code that you write for it. In fact, it is possible to create a web application without writing any original code. Some estimates say that 80% of the code in web applications is...

Continue Reading ›

TOPICS     Application Security  Application development

Ready to be Hacked: Incident Response

POSTED BY  Richard April on Jan 31, 2017
Jan 31 2017

As any security professional knows, the threat landscape is a moving target. Right now, hackers seem to be choosing web applications as a favored way into enterprise information systems—Verizon reports that they represent 40% of all confirmed...

Continue Reading ›

TOPICS     Application Security

Sundance Hack Acts as a Warning to Small and Mid Sized Businesses

POSTED BY  Amanda McGuinness on Jan 26, 2017
Jan 26 2017

This past Saturday, January 21st, the 2017 Sundance Film Festival was underway with its first weekend of screenings when it was interrupted by a cyberattack that disabled its online box office as well as internet access throughout Park City,...

Continue Reading ›

TOPICS     Application Security