<img height="1" width="1" style="display:none;" alt="" src="https://analytics.twitter.com/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0"> <img height="1" width="1" style="display:none;" alt="" src="//t.co/i/adsct?txn_id=nv7vl&amp;p_id=Twitter&amp;tw_sale_amount=0&amp;tw_order_quantity=0">

Web Application Security Blog

CVE-2017-5638 - Groundhog Day

POSTED BY  Zaid Al Hamami on Mar 09, 2017
Mar 09 2017

Its one of those weeks. A new, big impact-low effort CVE (CVE-2017-5638). This time it is Java Struts apps. Specifically ones using the Jakarta Multi-Part parser. Again, it is one of those “malformed input in ways no one expected gives me powers...

Continue Reading ›

TOPICS     Vulnerabilities  Application Security  DevOps

Why Target the Application Layer

POSTED BY  Mike Milner on Feb 14, 2017
Feb 14 2017

When most of us think of applications, we think of the various programs we have downloaded to our smartphones. We interact and make requests of these programs to perform whatever function we need. These requests often, if not always, require the...

Continue Reading ›

TOPICS     Application Security

How External Dependencies Put Your Apps at Risk

POSTED BY  Mike Milner on Feb 02, 2017
Feb 02 2017

Web applications are complex. Only a tiny part of any web app is code that you write for it. In fact, it is possible to create a web application without writing any original code. Some estimates say that 80% of the code in web applications is...

Continue Reading ›

TOPICS     Application Security  Application development

Ready to be Hacked: Incident Response

POSTED BY  Richard April on Jan 31, 2017
Jan 31 2017

As any security professional knows, the threat landscape is a moving target. Right now, hackers seem to be choosing web applications as a favored way into enterprise information systems—Verizon reports that they represent 40% of all confirmed...

Continue Reading ›

TOPICS     Application Security

Sundance Hack Acts as a Warning to Small and Mid Sized Businesses

POSTED BY  Amanda McGuinness on Jan 26, 2017
Jan 26 2017

This past Saturday, January 21st, the 2017 Sundance Film Festival was underway with its first weekend of screenings when it was interrupted by a cyberattack that disabled its online box office as well as internet access throughout Park City,...

Continue Reading ›

TOPICS     Application Security

Enterprise Information Networks and the Threat Environment

POSTED BY  Oliver Lavery on Jan 19, 2017
Jan 19 2017

Securing an enterprise information system is no trivial task. That is because today’s systems are complex and need to be viewed holistically. No longer can IT security only think of a network as a combination of components that can be protected...

Continue Reading ›

TOPICS     Application Security

IAST, RASP, and Runtime Instrumentation

POSTED BY  Zaid Al Hamami on Jan 03, 2017
Jan 03 2017

The Application Security Testing (AST) technology market is made up of the following categories:

Continue Reading ›

TOPICS     Application Security  RASP

2016: AppSec Year in Review

POSTED BY  Richard April on Dec 15, 2016
Dec 15 2016

Accounts taken over and credentials seriously stuffed

Credential stuffing attacks were made possible by several hacks that hit the news in 2016. Hacks like these happen in two (or more) phases, often occurring years apart. The first phase is...

Continue Reading ›

TOPICS     Vulnerabilities  Application Security  Account Takeover  Stolen Credentials

RASP and Security Against Internal Breaches

POSTED BY  Mike Milner on Dec 13, 2016
Dec 13 2016

As companies consider their application security posture, it is critical to remember that breaches can come from both outside and inside the company and its trust boundaries. Internal threats require just as much protection as external risks.

Continue Reading ›

TOPICS     Insider  Application Security  RASP

RASP Adoption: A View From the Trenches (Part 3)

POSTED BY  Goran Begic on Nov 23, 2016
Nov 23 2016

In the first two parts of this three-part post I introduced basic concept surrounding runtime application self-protection (RASP) and how it differs from web application firewalls (WAF). In the second part, I discussed features and use cases that...

Continue Reading ›

TOPICS     Application Security  RASP  Web Application Security