Open Source Software Poses a Real Security Threat
8/15/2018It's true that open source software has many benefits, but it also has weak points. These four practical steps can help your company stay safer.
Post a Comment
Author
Profile of Jeff Williams
CTO, Contrast Security Member Since: 4/1/2014Author
News & Commentary Posts: 20
Comments: 32
A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Jeff has over 25 years of security experience and served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten
Articles by Jeff Williams
It's true that open source software has many benefits, but it also has weak points. These four practical steps can help your company stay safer.
Post a Comment
How Code Vulnerabilities Can Lead to Bad Accidents
7/10/2017The software supply chain is broken. To prevent hackers from exploiting vulnerabilities, organizations need to know where their applications are, and whether they are built using trustworthy components.
Post a Comment
New OWASP Top 10 Reveals Critical Weakness in Application Defenses
4/27/2017It's time to move from a dependence on the flawed process of vulnerability identification and remediation to a two-pronged approach that also protects organizations from attacks.
Post a Comment
Why It’s Insane To Trust Static Analysis
9/22/2015If you care about achieving application security at scale, then your highest priority should be to move to tools that empower everyone, not just security experts.
Post a Comment
What Do You Mean My Security Tools Don’t Work on APIs?!!
6/25/2015SAST and DAST scanners haven’t advanced much in 15 years. But the bigger problem is that they were designed for web apps, not to test the security of an API.
Post a Comment
Why We Can't Afford To Give Up On Cybersecurity Defense
5/18/2015There is no quick fix, but organizations can massively reduce the complexity of building secure applications by empowering developers with four basic practices.
Post a Comment
Which Apps Should You Secure First? Wrong Question.
3/5/2015Instead, develop security instrumentation capability and stop wasting time on '4 terrible tactics' that focus on the trivial.
Post a Comment
What Government Can (And Can’t) Do About Cybersecurity
1/22/2015In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.
Post a Comment
The New Target for State-Sponsored Cyber Attacks: Applications
12/17/2014Skilled hackers are now using simple web application vulnerabilities like SQL Injection to take over database servers. Are you prepared to defend against this new type of threat actor?
Post a Comment
The Staggering Complexity of Application Security
11/10/2014During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built.
Post a Comment
In AppSec, ‘Fast’ Is Everything
10/13/2014The world has shifted. The SAST and DAST tools that were invented over a decade ago are no longer viable approaches to application security.
Post a Comment
An AppSec Report Card: Developers Barely Passing
9/19/2014A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
Post a Comment
Why Your Application Security Program May Backfire
7/2/2014You have to consider the human factor when you’re designing security interventions, because the best intentions can have completely opposite consequences.
Post a Comment
The Only 2 Things Every Developer Needs To Know About Injection
5/22/2014There’s no simple solution for preventing injection attacks. There are effective strategies that can stop them in their tracks.
Post a Comment
The Real Wakeup Call From Heartbleed
4/16/2014There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.
Post a Comment
Flying Naked: Why Most Web Apps Leave You Defenseless
3/28/2014Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
Post a Comment
The 7 Deadly Sins of Application Security
2/6/2014How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.
Post a Comment
What Healthcare Can Teach Us About App Security
1/15/2014The Centers for Disease Control protects people from health threats and increases the health security of our nation. It’s a mission that’s not so different from InfoSec.
Post a Comment
Secure Code Starts With Measuring What Developers Know
12/19/2013I recently discovered I’ve been teaching blindly about application security. I assumed that I know what students need to learn. Nothing could be further from the truth.
Post a Comment
Application Security: We Still Have A Long Way To Go
11/21/2013The past decade shows only trivial progress in improving web app security, according to new vulnerability guidelines in the OWASP Top Ten 2013.
Post a Comment
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-12198
PUBLISHED: 2019-05-20
PUBLISHED: 2019-05-20
PUBLISHED: 2019-05-19
PUBLISHED: 2019-05-18
PUBLISHED: 2019-05-17
From DHS/US-CERT's National Vulnerability Database CVE-2019-12198
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
CVE-2019-12185PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
CVE-2019-12184PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This