Continuous Verification: A new method to secure programs

Building secure software is the holy grail of computer science. On one end of the spectrum we have methods like formal verification that are used to prove the correctness of the underlying designs and development of software…

Diving into Directory Traversal Vulnerabilities in Open-Source

Why bother with ransomware when you can mine cryptocurrencies for free?

Just when you thought that the EternalBlue exploit on the Server Message Block (SMBv1) networking protocol found in Windows was under control, the adversaries have developed an exploit to target the Samba…

Exposing External XML Entity Attacks in Android IntelliJ Plugin

What DevOps means for Software Security

In this post, I explore the landscape of security in a DevOps world, critique existing…

Open-source Packages with Malicious Intent

Why re-invent the wheel?

This famous saying is what I think of when thinking about third-party code. Package managers such as npm, RubyGems, and Maven make it so easy to share code that has been written between…

After The Equifax Hack We Examined the Latest Apache Struts Code

Delving into the four recent RubyGems vulnerabilities

SGL: Mapping the open-source genome for fun and profit

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then…