Increasing your AppSec velocity with ShiftLeft
Photo by Andrea Piacquadio from PexelsAs the velocity of the software development lifecycle (SDLC) increases, so should the velocity of everything that gets integrated into the SDLC. This includes application security. To that end, ShiftLeft released the Velocity Update for ShiftLeft CORE, which we’ll discuss more in the following sections.Increasing your ... Read More
Three quick takes regarding the 2021 updates to the OWASP Top 10 list
In this article, we’ll take a look back at the changes to the OWASP Top 10 this past year.Photo by Anna Tarazevich from PexelsIt’s been four years since OWASP updated its Top 10 list, but this year we got three brand new categories along with a reshuffling of the rest. As we ... Read More
What to do about CWEs in your application
Image by Pete Linforth from PixabayOver the past few weeks, we’ve published a series of blogs related to CWEs: we’ve taken a look at the changes in the Top 25 Most Dangerous Software Weaknesses over the past year, as well as some of the vulnerabilities included on the list:CWE-22: Path traversalCWE-611: XML ... Read More
CWE-77
Improper Neutralization of Special Elements used in a Command (‘Command Injection’)CWE-77 refers to command injection, a vulnerability that allows malicious parties to control parts of the application by providing input that influences how the application behaves. In short, the attacker could control how the app behaves, compromising the app itself ... Read More
CWE-918
Server-Side Request Forgery (SSRF)Image by Edgar Oliver from PixabayServer-side request forgeries (SSRF) occur when the web application sends a request to the web server, and the webserver retrieves the requested content. However, the webserver does not ensure that the request is sent to an appropriate destination.In other words, this vulnerability allows a ... Read More
CWE-200
Exposure of Sensitive Information to an Unauthorized ActorPhoto by Paula from PexelsCWE-200 occurs when information that should remain confidential (e.g., systems and network information for the application, user-supplied data including names, email addresses, and dates of birth) are accessible to those without authorization to see this information.Why exposing sensitive information is ... Read More
CWE-89
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)SQL injection occurs when an end-user leverages the client-side interface to provide input that is then used as part of a SQL command that the application executes.Why SQL injection vulnerabilities are problematicWith SQL injection attacks, an unauthorized user could:Read ... Read More
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OS command injection occurs when the application uses user input (which isn’t escaped or sanitized) as part of a command that’s run against the host’s operating system.Why OS command injection vulnerabilities are problematicTypically, end-users would not have access ... Read More
ShiftLeft CORE on AWS Marketplace
We are pleased to announce that ShiftLeft CORE is now available on the AWS Marketplace! Now, AWS users looking to integrate a complete AppSec platform into their software development lifecycle (SDLC) or CI/CD pipeline have another option for procuring ShiftLeft CORE.Procuring Software via the AWS MarketplaceOver the years, AWS has ... Read More
CWE-611
Improper Restriction of XML External Entity ReferenceCWE-611 refers to vulnerabilities that arise when an application processes an XML document that contains entities referring to external URIs. These URIs resolve to assets outside the control of the application, resulting in the potentially unsafe execution of actions dictated by the outside assets.Why improper ... Read More