Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK

Deserialization Vulnerability Confirmed in Nexmo 3.4.0 SDK

Nexmo has confirmed that their 3.4.0 SDK contained the Jackson-databind vulnerability that we announced earlier this week as widespread amongst SaaS SDKs.The deserialization vulnerability can be escalated into remote control execution (RCE) by triggering a gadget chain of either certain versions of Java or Spring. This makes the vulnerability particularly ... Read More
ShiftLeft Wins 2018 Gartner Cool Vendor for DevOps

ShiftLeft Wins 2018 Gartner Cool Vendor for DevOps

Gartner recently recognized ShiftLeft as a 2018 Cool Vendor in DevOps for our continuous application security service. The Cool Vendor designation is awarded to new companies that are “innovative, impactful and intriguing.”We’re hosting a webinar tomorrow to introduce ShiftLeft and explain why we are cool:https://go.shiftleft.io/gartner-cool-vendors-for-devopsWhile DevOps has led to incredible ... Read More
OffensiveCon 2018: Building a Zero-Day Machine

OffensiveCon 2018: Building a Zero-Day Machine

Fabian Yamaguchi, Niko Schmidt & Marco Bartoli of ShiftLeft recently presented on our efforts to build a zero-day vulnerability machine at OffensiveCon. You can watch their presentation below.FIELD REPORT ON A ZERO-DAY MACHINEMake no mistake, security is about finding and exploiting vulnerabilities, not the ones everyone already knows about. The ... Read More
Your App is Leaking Data, Its Just a Question of How Badly

Your App is Leaking Data, Its Just a Question of How Badly

If data leakage isn’t the fastest growing problem in AppSec, I don’t know what is. In our experience, 100% of customer environments are leaking data. The adoption of microservices, combined with increasingly shorter development cycles, means that understanding how critical data flows into, within, and out of an application is ... Read More
7 Questions to Ask About Your DevSecOps Program

7 Questions to Ask About Your DevSecOps Program

If you’ve implemented, or are implementing, a DevSecOps program, we’ve come up with several questions to consider below. By posing these questions, we hope to help spur new ideas and help identify areas for improvement. We’re also hosting a webinar on implementing DevSecOps next Wednesday (3/21/18).Is My Application (or Microservice) ... Read More
What the Next Era of Cloud Computing Means for AppSec & the SDLC

What the Next Era of Cloud Computing Means for AppSec & the SDLC

Since the 1990s there have been three logical phases of cloud adoption, from pioneering to mass adoption and managing. Effectively, the success of each phase led to the next phase, and we are in the management phase today. However, it’s the problems that managing phase solutions haven’t been able to ... Read More
6 Requirements for Achieving DevSecOps

6 Requirements for Achieving DevSecOps

Just as widespread cloud application adoption has led to the emergence of cloud-centric management tools (Okta, New Relic, Mulesoft, etc.), as the DevOps movement reaches ubiquity, the need for DevSecOps becomes more acute. However, with so many vendors wanting to cash in on the buzz, “DevSecOps” is quickly becoming cliche ... Read More