Prabhu Subramanian

ShiftLeft Blog - Medium

Photo by Jeremy Bezanger on UnsplashIn our earlier post, we discussed False Positives and why having some of them is a good thing for your teams. This blog is about a term that is not as popular as False Positive, but is the reason security companies like ShiftLeft exist. The term ... Read More

XStream Vulnerabilities — Detection & MitigationLooking at RCEs in the XStream Java Library and How you can prevent themIntroductionXStream from ThoughtWorks is a simple library to serialize and deserialize objects in XML and JSON format. Compared to alternative XML serialization libraries such as JAXB (JSR-222) and Jackson, developers find XStream both lightweight and ... Read More

The inspiration for this blog came from my recent preparation for an office hour on ShiftLeft Build Rules and Policy Language. Please note that this blog is based on my personal experimentation and doesn’t represent any official roadmap/direction of the ShiftLeft platform.ShiftLeft code analysis platform offers a number of tools ... Read More

Application Security for builders and creators — part 2Previously on Application Security for builders and creators — Alice and Bob wanted to build a vaccine passport app with go micro-services and a React UI. Claire suggests the team to engineer security into their app with ShiftLeft.Review with AppSec on ZoomShiftLeft findings Review on Zoom“Claire, let’s jump right ... Read More

Meet Alice and BobAlice and Bob work for an exciting data analytics startup that is disrupting the healthcare tech space. You might have heard their names as they are well known in the security industry for building apps that are secure by design. As creators, they also enjoy rapidly prototyping ideas ... Read More

Security Code Review of a Banking Trojan — CerberusOver a year ago, I started hearing about this new Banking Trojan called Cerberus. The author of this malware reportedly used to ridicule security researchers on social media as per thehackernews.com article. The malware was sold as a complete package:MySQL seed data with payloads and ... Read More

DevSecOps with BitbucketThis article was originally published at ShiftLeft Blog.In my inaugural post on DevSecOps with GitHub, I made an assertion that achieving good productivity is a continuous journey and a shared responsibility. While technology and security vendors offer good secure defaults out-of-the-box, an effective understanding of product capabilities along ... Read More

GitHub & DevSecOps Productivity TipsThis article was originally published at ShiftLeft Blog.My colleague Andrew Fife wrote about our passion to focus on developer experience and productivity with our NextGen Static Analysis platform. Productivity, just like Security, is not a one-time activity but is a continuous journey that requires frequent optimization ... Read More

“Open source is bad since it’s full of security vulnerabilities, unmaintained dependencies and poor documentation,” said this security vendor as they began their opening speech before delving into their product that offered open source dependency management and risk audits. As they started their demonstration, I could instantly acknowledge the irony ... Read More

This blog was originally published at blog.shiftleft.ioImagine you are a Development Manager or a DevSecOps leader in your organization thinking about AppSec.Having an open conversation about application security with your team is like having those difficult conversations with your teenagers. You know you’re trying to do the RIGHT thing, but ... Read More