Prabhu Subramanian, Author at Security Boulevard
What a False Negative is and why it should be your primary criteria for a SAST tool

What a False Negative is and why it should be your primary criteria for a SAST tool

Photo by Jeremy Bezanger on UnsplashIn our earlier post, we discussed False Positives and why having some of them is a good thing for your teams. This blog is about a term that is not as popular as False Positive, but is the reason security companies like ShiftLeft exist. The term ... Read More
XStream Vulnerabilities — Detection & Mitigation

XStream Vulnerabilities — Detection & Mitigation

XStream Vulnerabilities — Detection & MitigationLooking at RCEs in the XStream Java Library and How you can prevent themIntroductionXStream from ThoughtWorks is a simple library to serialize and deserialize objects in XML and JSON format. Compared to alternative XML serialization libraries such as JAXB (JSR-222) and Jackson, developers find XStream both lightweight and ... Read More
Integration of Open Policy Agent with ShiftLeft via API

Decouple your ShiftLeft AppSec policies with Open Policy Agent

The inspiration for this blog came from my recent preparation for an office hour on ShiftLeft Build Rules and Policy Language. Please note that this blog is based on my personal experimentation and doesn’t represent any official roadmap/direction of the ShiftLeft platform.ShiftLeft code analysis platform offers a number of tools ... Read More
ShiftLeft findings review on Zoom by Alice, Bob and Claire

Application Security for builders and creators — part 2

Application Security for builders and creators — part 2Previously on Application Security for builders and creators — Alice and Bob wanted to build a vaccine passport app with go micro-services and a React UI. Claire suggests the team to engineer security into their app with ShiftLeft.Review with AppSec on ZoomShiftLeft findings Review on Zoom“Claire, let’s jump right ... Read More
Let’s build an app

Application Security for builders and creators

Meet Alice and BobAlice and Bob work for an exciting data analytics startup that is disrupting the healthcare tech space. You might have heard their names as they are well known in the security industry for building apps that are secure by design. As creators, they also enjoy rapidly prototyping ideas ... Read More
Security Code Review of a Banking Trojan — Cerberus

Security Code Review of a Banking Trojan — Cerberus

Security Code Review of a Banking Trojan — CerberusOver a year ago, I started hearing about this new Banking Trojan called Cerberus. The author of this malware reportedly used to ridicule security researchers on social media as per thehackernews.com article. The malware was sold as a complete package:MySQL seed data with payloads and ... Read More
ShiftLeft NG SAST integration with Bitbucket Code insights

DevSecOps with Atlassian Bitbucket

DevSecOps with BitbucketThis article was originally published at ShiftLeft Blog.In my inaugural post on DevSecOps with GitHub, I made an assertion that achieving good productivity is a continuous journey and a shared responsibility. While technology and security vendors offer good secure defaults out-of-the-box, an effective understanding of product capabilities along ... Read More
DevOps productivity series — GitHub for DevSecOps

DevOps productivity series — GitHub for DevSecOps

GitHub & DevSecOps Productivity TipsThis article was originally published at ShiftLeft Blog.My colleague Andrew Fife wrote about our passion to focus on developer experience and productivity with our NextGen Static Analysis platform. Productivity, just like Security, is not a one-time activity but is a continuous journey that requires frequent optimization ... Read More
Thoughts on the state of enterprise open source

Thoughts on the state of enterprise open source

“Open source is bad since it’s full of security vulnerabilities, unmaintained dependencies and poor documentation,” said this security vendor as they began their opening speech before delving into their product that offered open source dependency management and risk audits. As they started their demonstration, I could instantly acknowledge the irony ... Read More
(Re)Introduce application security to your team

(Re)Introduce application security to your team

This blog was originally published at blog.shiftleft.ioImagine you are a Development Manager or a DevSecOps leader in your organization thinking about AppSec.Having an open conversation about application security with your team is like having those difficult conversations with your teenagers. You know you’re trying to do the RIGHT thing, but ... Read More