Low-Code Development: Leverage low and no code to streamline your workflow so that you can focus on higher priorities.
DZone Security Research: Tell us your top security strategies in 2024, influence our research, and enter for a chance to win $!
Cofounder and CTO at Contrast Security
Jeff is a founder and CTO of Contrast Security - a revolutionary application security platform that automatically identifies vulnerabilities *and* blocks attacks in real time. Contrast works like "AppDynamics for Security" - no scanning, continuous monitoring, highly accurate, and integrated with all your favorite tools. @planetlevel ---------------------------------------------------------------- DZone Refcardz authored by Jeff: ---------------------------------------------------------------- * https://dzone.com/refcardz/introduction-to-devsecops * https://dzone.com/refcardz/introduction-to-iast (Interactive Application Security Testing) * https://dzone.com/refcardz/introduction-to-rasp (Runtime Application Self-Protection)
Stats
Reputation: | 2085 |
Pageviews: | 62.8K |
Articles: | 2 |
Comments: | 5 |
Introduction to IAST
Introduction to RASP
DevSecOps
For years, security has been an afterthought — functionality that developers and product managers often address at the last minute. Security, like any other part of software development, is iterative; it takes rounds of testing and attention to detail to eliminate vulnerabilities. More organizations are beginning to understand the importance of security testing and integration, and as a result, they have started to incorporate security into their DevOps pipelines. With this in mind, we consulted industry experts and leaders about the state of DevSecOps adoption and implementation to help readers understand more effective ways to manage security throughout every step of the SDLC.
Application Security
DZone Trend Reports will expand on the content from DZone Research Guides that our readers have told us is most useful. The Application Security Trend Report analyzes new developments in the increasingly important field of AppSec to predict what's next.
Comments
Jan 05, 2020 · Unni Mana
I know it’s just a sample, but this is a textbook example of a reflected cross-site scripting (XSS) vulnerability. Could you add HTML entity encoding to the output so that attackers can’t use this to exploit victims? Thx!
Feb 21, 2019 · Sibanjan Das
For web app/API security, we released a *free and full-strength* tool called Contrast Community Edition (Java). Should be in every dev's toolbox. CE provides full IAST (vulnerability testing), SCA (open source analysis), and RASP (runtime application security protection). Contrast works from inside your applications using instrumentation - far easier & more accurate than scanning tools. Integrates with all your favorite tools, including Eclipse, IntelliJ, Slack, JIRA, github, Jenkins, Splunk, and more. https://www.contrastsecurity.com/ce.
Oct 30, 2018 · Matthew Casperson
By the time the cast occurs, the damage has already been done. The deserialization process reads the untrusted data, initializes a new object of the attacker's chosen class with the data, and then calls the zero arg constructor. The attacker sends carefully crafted data and chooses certain "widgets." These widget are just classes that do dangerous stuff in their zero arg constructor and nobody knows just how many of them there are in a typical application. Sometimes you need a "chain" of these widgets to make a full attack. But when successful, the attacker can invoke Runtime.exec() (or something else harmful) and completely subvert the application.
Nov 15, 2015 · Matthew Casperson
We just released an even better solution to this problem. It's free and open source.
Contrast-rO0 is a lightweight Java agent that uses instrumentation to block attacks targeting object deserialization problems like those described above.
This approach is the *only* way to protect your *entire* application because the problem can be in libraries or frameworks. Rather than re-architecting your entire messaging infrastructure, this agent absolutely prevents this vulnerability from being exploited.
https://github.com/Contrast-Security-OSS/contrast-rO0
Nov 15, 2015 · Matthew Casperson
Sorry - this flaw can happen in any application that accepts serialized objects from an untrusted source. The flaw is not restricted to apps that include Apache Commons. There are multiple different gadgets that can result in remote command execution. Beware.