Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1883PUBLISHED: 2022-05-25SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
CVE-2022-21951PUBLISHED: 2022-05-25
A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects:...
CVE-2022-1815PUBLISHED: 2022-05-25Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVE-2022-29405PUBLISHED: 2022-05-25In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVE-2022-29349PUBLISHED: 2022-05-25kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.
User Rank: Apprentice
9/24/2015 | 12:58:29 PM
Of course there would be pushback ... unless the developer is compensated for secure code.
But what if accurate application security vulnerabilities could be identified before code check-in without any of the steps mentioned above? What if the applciation security vulnerabilities were identified simply from the FUNCTIONAL development and usage of the system?
As a former developer (and current AppSec tooling guy), I am always looking for ways to invisibly inject security into the SDLC ... ways that do NOT require a new line item in a project plan, an extra step in the coding / development process, or a self-imposed "wait state" in order to get application security results ... and, ideally, to have appication security vulnerabilities identified continuously and in real-time as an invisible and natural by-product of the process of building and testing software in an SDLC without regard for "Security Testing".
I have found that passive IAST products are capable of achieving this goal and not only enabling developers to identify and fix their vulnerabilities before the code leaves their desktop, but actually proactively reaching out to them to show the exact line of code that is vulnerable ... ALL WITHOUT A SCAN or extra step ... all in real-time from performing the very act that all developers do before checking in code ... FUNCTIONAL sanity/smoke testing.
Contrast Security provides such a solution.