SourceClear

Open-source Packages with Malicious Intent

Why re-invent the wheel?

This famous saying is what I think of when thinking about third-party code. Package managers such as npm, RubyGems, and Maven make it so easy to share code that has been written between…

Un-patched for months, could Cisco 0-day lead to another round of WannaCry?

For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that. Not long ago, there was a similar exploit — Cisco 0-Day, CVE-2017–3881 — whose impact could…

Diving into Directory Traversal Vulnerabilities in Open-Source

SGL: Mapping the open-source genome for fun and profit

For a long-time we have known that the current state-of-the-art of vulnerability research in open-source code does not scale. That current state-of-art involves individual security researchers looking at specific bits of code and then…

Delving into the four recent RubyGems vulnerabilities

Continuous Verification: A new method to secure programs

Building secure software is the holy grail of computer science. On one end of the spectrum we have methods like formal verification that are used to prove the correctness of the underlying designs and development of software…

Announcing PHP Language Support

We are proud to announce that we are adding language support for PHP. You can now scan your PHP projects…

After The Equifax Hack We Examined the Latest Apache Struts Code

Why bother with ransomware when you can mine cryptocurrencies for free?

Just when you thought that the EternalBlue exploit on the Server Message Block (SMBv1) networking protocol found in Windows was under control, the adversaries have developed an exploit to target the Samba…