PEGASUS, this term is making headlines all across the globe leaving people anxious with questions like What’s a Spyware? Am I a potential target? If yes, how can I protect myself from this? Together we will try to understand and answer these and many more questions.

History of PEGASUS

With all the news coverage and headlines now, this might come across as something new to cyber world but, PEGASUS first surfaced in year 2016 on a few targets iOS and android devices. PEGASUS is a surveillance service (spyware) developed by Israeli NSO Group as a part of their Surveillance as a service. …


Django: Currently, it is one of the most popular python framework of choice for web development. There are many inbuilt features which help makes it this popular. Some of them are listed below.

i. Django follows a Model-View-Template (MVT) architecture which allows a developer to write better, organized, and more maintainable code.

ii. ORM: Django allows you to define database models in Python, and provides a user-friendly, rich database-access API.

iii. The Django template language allows mixing Python code with HTML for the purpose of presentation. …


Software composition analysis is the practice of analyzing and identifying third party & open source software present in the application. Today, majority of the enterprise level applications use open source components in some way or the other, thus this makes SCA an important box to be checked during your Software Development Life Cycle(SDLC).

But why do we need it at all ?

SCA is a solution for managing security and license compliance risk that comes with the use of open source and third-party code in applications. It provides visibility & important insights in the application’s open source components inventory. Use of open source component has become so prevalent that…


Code maintainability is one of the many important factors that we all consider while writing our code. This becomes imperative in case of handling big production code bases. Removal of obsolete and stale (non-functional) piece of code is equally as important as adding new functional code to your application.
Over a period of time, these obsolete codes (eg. feature flags) get accumulated and become technical debt on the code owner.

What exactly are Feature Flags ?

Feature flags are conditional code branches which has a code block associated with its each condition. Using feature flags, companies can localize their user experience in different regions they operate…


We all know in today’s time how important is data for everything. We all can tell this simply by observing how some of today’s technologies such as Big Data Analytics, SIEM, Machine learning, AI heavily depend on data in some form. Hence, it becomes a critical job to protect our sensitive data from getting compromised by malicious or bad actors.

Use of Secure/encrypted channel while transferring data between parties has always been one popular data security method. …


This is one of those findings which is very difficult to identify during security testing. The best chance we have is while doing Source Code Review of the vulnerable code base. Thus, today will we look from the source code perspective, how a vulnerable code looks and how to flag this.

This certainly is one of those critical bugs that you don’t wish to have in your system. This is the reason why it has earned its place in the current OWASP TOP 10 findings. Below are some to the attacks that can be performed if Insecure Deserialization is present.


Log Injection Attack

First let’s understand together couple of things about logging.

What is logging ?
logging is a technique to maintain or collect application specific data into a log book (log file) to monitor how the application is doing in running state.
As the name suggests, every event is stored into a log file for future reference, specially in the time of debugging a bug (strange behaviour). For this we have different
levels of logging which is responsible for logging different kinds of events & data.

Let’s see the different types of logging that we use in general:

ERROR
An error is a…

abhishek kumar

exploring application security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store