ASPM Illustration
Nov 1, 2023

How Application Security Posture Management (ASPM) Helps Prevent Security Silos

Ensuring that our software (or applications) is secure has become essential for organizations, mainly since we use more complex applications in various industries. However, a big challenge arises with the creation of security silos.

Read More
Oct 5, 2023

What Is A Better Way To Do Software Composition Analysis (SCA)?

Software Composition Analysis (SCA) is a fundamental component of application security, aiming to identify vulnerabilities within third-party libraries and dependencies. However, while SCA tools have come a long way, they are not always accurate enough on their own.

Read More
Sep 29, 2023

Cheat Sheet for WebP (libwebp library) 0-day Vulnerability

Learn about the WebP/libwebp library 0-day vulnerability in 2 minutes

Read More
Sep 28, 2023

Announcing Github SCM Integration for SAST, SCA, and Personalized AppSec Risk Analysis

Today, we’re announcing our Github SCM integration for SAST and SCA, which will help organizations to find custom code vulnerabilities (SAST) and vulnerable packages (SCA) in their applications during the development phase. These additions to the Oxeye Application Security Platform complement our runtime-fueled AppSec engine to deliver security across the entire software development lifecycle (SDLC), and to automatically prioritize your remediation efforts. 

Read More
Sep 19, 2023

What is Application Security Posture Management?

Application Security Posture Management (ASPM) is your ultimate watchtower in this fast-paced digital world. This article will take you through the critical components of ASPM, from asset and vulnerability management to risk mitigation and assessment and beyond.

Read More
Aug 2, 2023

Take Me to Prom - Exploiting an RCE in openTSDB through Prometheus

The Oxeye research team has found a critical unauthenticated Remote Code Execution vulnerability in the popular Time Series database - OpenTSDB.

Read More
Jul 19, 2023

Fortifying the Fort: A Story of How a Security Company Purged Its Container Vulnerabilities

Oxeye is an AppSec platform that detects code vulnerabilities and issues in open source and third party packages. But how do we ensure that the tool that detects these vulnerabilities is itself not vulnerable?

Read More
Blogpost Cover
Jul 3, 2023

Gophers & Bees - Parsing Golang Structures in Memory with eBPF

OpenTelemetry is a collection of APIs, libraries, agents, and instrumentation that standardize the collection and transfer of telemetry data (metrics, logs, and traces) from your services and applications. It is an incubating project of the Cloud Native Computing Foundation (CNCF) that aims to make robust, portable telemetry a built-in feature of cloud-native software.

Read More
Blog Cover
Jun 29, 2023

Chess and Application Security

It’s not a secret that we’re big chess fans here at Oxeye. Our engineering team and marketing team are locked in a battle for chess supremacy, asynchronously, across the Atlantic Ocean, via a chess app. It should come as no surprise then, that we see many analogies between application security and chess.

Read More
Jun 21, 2023

Introducing "The Storm and the Light" - a podcast from Oxeye

We announce the launch of The Storm and the Light - a podcast from Oxeye

Read More
Jun 8, 2023

Using Kubernetes Data to Enhance Incomplete HTTP OpenTelemetry Traces

Using OpenTelemetry has become a popular method for tracking, collecting, and analyzing telemetry data for applications that are built using microservice architecture. It helps us understand how software performs and behaves.

Read More
Using OpenTelemetry for Application Security, with a Real Life Example
May 11, 2023

Using OpenTelemetry for Application Security, with a Real Life Example

Oxeye's CTO and co-founder, Ron Vider, presents to a crowd of over 1200 people on how to use Open Telemetry for application security

Read More
The Story of a Backstage RCE - Oxeye Presentation at Blue Hat IL
May 10, 2023

The Story of a Backstage RCE - Oxeye Presentation at Blue Hat IL

Daniel Abeles and Gal Goldshtein from Oxeye present on their discovery of a remote code execution (RCE) vulnerability in the popular developer portal, Backstage, developed by Spotify, at BlueHat IL

Read More
May 9, 2023

The Fosbury Flop, Observability and Application Security for Cloud-Native Applications

When Dick Fosbury won the Olympic gold medal in the high jump in Mexico City in 1968, it was the first time that most of the world had ever seen his style of jumping, and it revolutionized the sport. What appeared to be novel at the time - jumping while leading with his back, instead of the conventional forward-facing straddle or roll - was soon copied pervasively. How does that apply to AppSec? Read on....

Read More
OWASP Cloud-Native Application Security Top 10 Flagship Project - Ron Vider
May 8, 2023

OWASP Cloud-Native Application Security Top 10 Flagship Project

Oxeye's CTO and co-founder, Ron Vider, presents on the OWASP Cloud-Native Application Security Top 10 Flagship Project

Read More
Webinar: Shift Left in 2023 - What's Changed and What Can We Improve?
Apr 21, 2023

Webinar: Shift Left in 2023 - What's Changed and What Can We Improve?

Chris Romeo joins our CEO, Dean Agron to discuss the modern-day role and relevance of 'Shift Left', and the need for a more contemporary look at people, processes and technologies that will enable more effective and efficient AppSec for developers and security engineers

Read More
Apr 12, 2023

RCE through SQL Injection Vulnerability in Hashicorp's Vault

Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. The Oxeye AppSec platform automatically found a vulnerability in Hashicorp's Vault project without any manual input. In certain conditions, it allows attackers to execute code remotely on the target system through an SQL injection attack.

Read More
Application vulnerabilities will be multi-layered and multi-dimensional
Apr 5, 2023

'Inception': The Future of Vulnerabilities & Security for Cloud-Native Applications

The 'Inception' movie provides a cautionary tale about the future of software vulnerabilities. We dive into the why and how in this blog post.

Read More
Mar 21, 2023

3 Key Takeaways From Gartner®'s Market Guide™ For Cloud Native Applications Protection Platform (CNAPP), 2023

We provide a list of three key takeaways from the latest market report for Cloud Native Application Protection Platforms (CNAPP) from Gartner

Read More
Why the 'A' in CNAPP is So Important
Feb 28, 2023

Webinar: Why the 'A' in CNAPP is So Important - Application Security in the Age of Cloud Native Applications

Ory Segal, CTO of Prisma Cloud at Palo Alto Networks and Ron Vider, CTO of Oxeye, talk about CNAPP, and the convergence of application security and cloud security

Read More
Future of Application Security and why current SAST and DAST don't work anymore
Jan 27, 2023

Webinar: Stop Flying Blind in AppSec with Jim Manico and Dean Agron

Jim Manico and Dean Agron discuss the future of application security and why legacy SAST and DAST tools do not work for modern, distributed applications

Read More
5 Application Security (AppSec) Predictions for 2023
Dec 20, 2022

5 Application Security (AppSec) Predictions for 2023

We talked to a lot of application security and cloud security owners this year. Here are our predictions based on those conversations.

Read More
Nov 28, 2022

Why Software Composition Analysis (SCA) Tools Must Transform to Enable Stronger Software Supply Chain Security

For many years, traditional Software Composition Analysis (SCA) tools have been the go-to for dealing with vulnerabilities in open source packages.

Read More
Nov 15, 2022

Remote Code Execution in Spotify’s Backstage via vm2 Sandbox Escape (CVSS Score of 9.8)

The Oxeye research team has found a critical vulnerability in Spotify’s open source, CNCF-incubated project — Backstage. We reported this via Spotify’s bug bounty program and it was rapidly patched in version 1.5.1. It ranked this critical vulnerability with a CVSS score of 9.8.

Read More
Sandbreak vm2 sandbox vulnerability - CVE-2022-36067
Oct 10, 2022

Enter "Sandbreak" - Vulnerability In vm2 Sandbox Module Enables Remote Code Execution (CVE-2022-36067)

The Oxeye research team has found a critical remote code execution vulnerability in the popular sandbox library VM2 - CVE-2022-36067

Read More
Sep 11, 2022

Guess Who’s (R)BAC?

The Oxeye research team recently found several high severity insecure direct object reference (IDOR) vulnerabilities in Harbor – a CNCF-graduated, open source artifact registry.

Read More
Aug 28, 2022

Oxeye Now Integrates with Jira

Bridging the gap between security findings and developers has never been easier.

Read More
Jul 28, 2022

“ParseThru” – Exploiting HTTP Parameter Smuggling in Golang - Updated October 10, 2022

Oxeye’s security research team has found a security vulnerability in Golang-based applications. Under certain conditions, it lets a threat actor bypass validations based on HTTP request parameters due to the use of unsafe URL parsing.

Read More
Jul 14, 2022

Diving Into OpenTelemetry’s Specs – The Story of How I Wrote Another Instrumentation

An unraveling of OpenTelemetry’ internals through a hands-on experience.

Read More
Jun 15, 2022

Runtime SBOM – Secure Microservices with Runtime Visibility

A software bill of materials is a list of all building blocks comprising an application – both the open source and commercial libraries.

Read More
Mar 20, 2022

Essential Takeaways for Cloud-Native Application Security Testing

The shift to cloud-native development affects several important aspects related to application security.

Read More
Mar 9, 2022

Software Composition Analysis (SCA) & Cloud-Native Application Security

Software Composition Analysis (SCA), identifies known vulnerabilities in 3rd party open source software components. It is not enough to assure that your apps are free from application layer vulnerabilities.

Read More
Mar 1, 2022

You Can’t IAST Your Way Out of This One

Why Legacy IAST Tools Will Fail Miserably When Testing Cloud-Native Web Applications.

Read More
Who owns cloud native application’s security
Jan 31, 2022

Who is responsible for Cloud Native Security?

Responsibility for App Security is no longer in the hands of one-owner, it’s a joint effort. App security is distributed to many groups and to different roles - Developers, AppSec and DevOps. So who’s incharge of security? And how to do it right.

Read More
Competitive analysis chart of SAST, DAST, SCA, IAST, and API testings and fuzzers
Jan 24, 2022

Why SAST doesn’t work in a cloudy world: 3 reasons SAST can’t support cloud native apps

Static application security testing tools (SAST), fail to provide the security measures required for cloud native apps. They lack context and are often limited to only one programming language, framework, or sets of libraries.

Read More
Competitive analysis chart of SAST, DAST, SCA, IAST, and API testings and fuzzers
Jan 4, 2022

DAST & Cloud-Native Web Apps - Like Bringing a Knife to a Gunfight

Dynamic Application Security Testing tools (DAST), and why they fail to successfully test cloud native apps for code vulnerabilities. DAST tools lack the visibility into the communication layer of both app, container and cloud.

Read More
PII leak open telemetry
Dec 22, 2021

How insecure application tracing and telemetry may lead to sensitive data and PII leakage

Recently, Oxeye’s research team discovered several scenarios where sensitive data was leaked through tracing and telemetry collection within cloud-native applications.

Read More
Dec 21, 2021

How Legacy AST Tools Fail to Secure Cloud Native Applications

Herein is an overview of AST and the challenges that DAST, SAST, IAST, and SCA tools face when assessing vulnerabilities in cloud native applications.

Read More
Dec 14, 2021

How Contextual Risk Analysis Helps AppSec Teams Better Mitigate Log4Shell (CVE-2021-44228)

Which approach should application security teams take to protect against log4shell. Oxeye helps identify, mitigate and provides context to the Java logging package Log4j vulnerability also called LogJam CVE-2021-44228.

Read More
Illustration of cloud native platform and Oxeye logo
Nov 24, 2021

Cloud Native Apps & Microservices Need a New Security Testing Approach

Given the intricacies of cloud native apps, it's critical for organizations to prioritize security during their build phase

Read More
Oxeye logo, and a telescope, stars, and planets
Nov 9, 2021

Contributing Open Source Code to the OpenTelemetry Project

OpenTelemetry is an open-source project by the Cloud Native Computing Foundation (CNCF).

Read More
Oct 28, 2021

When Cloud Native Application Security Testing Fails: A Real-World Analysis

Cloud native application vulnerabilities are not singular events, but rather complex flows. Our blog brings a few real-life examples from Shopify.

Read More
Oct 18, 2021

The Cloud Native Application Security Challenges and How to Avoid Them

Over 500 million applications will be deployed using cloud-native approaches by 2023, according to IDC.

Read More
Oct 10, 2021

Introducing Oxeye - Cloud-Native Application Security Testing, Here We Come

Cloud-native has evolved from a marketing term into a highly desirable and useful architecture choice, yielding significant benefits for designing.

Read More

Oxeye Blog

Resources

Blog
Research
Webinars
Talks
Knowledge Panel
Case Studies
Downloadable Assets
August 2, 2023

Take Me to Prom - Exploiting an RCE in openTSDB through Prometheus

Gal Goldstein
Security Researcher
Daniel Abeles
Head of Research
August 2, 2023

Take Me to Prom - Exploiting an RCE in openTSDB through Prometheus

The Oxeye research team has found a critical unauthenticated Remote Code Execution vulnerability in the popular Time Series database - OpenTSDB.
Gal Goldstein
Security Researcher
Daniel Abeles
Head of Research
April 12, 2023

RCE through SQL Injection Vulnerability in Hashicorp's Vault

Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. The Oxeye AppSec platform automatically found a vulnerability in Hashicorp's Vault project without any manual input. In certain conditions, it allows attackers to execute code remotely on the target system through an SQL injection attack.
November 15, 2022

"BreakStage" – an Unauthenticated Remote Code Execution in Spotify’s Backstage

The Oxeye research team has found a critical vulnerability in Spotify’s open source, CNCF-incubated project — Backstage. We reported this via Spotify’s bug bounty program and it was rapidly patched in version 1.5.1. It ranked this critical vulnerability with a CVSS score of 9.8.
October 10, 2022

Enter "Sandbreak" - Vulnerability In vm2 Sandbox Module Enables Remote Code Execution (CVE-2022-36067)

The Oxeye research team has found a critical remote code execution vulnerability in the popular sandbox library VM2 - CVE-2022-36067
September 11, 2022

Guess Who’s (R)BAC?

The Oxeye research team recently found several high severity insecure direct object reference (IDOR) vulnerabilities in Harbor – a CNCF-graduated, open source artifact registry.
July 28, 2022

“ParseThru” – Exploiting HTTP Parameter Smuggling in Golang - (Updated October 10, 2022)

Oxeye’s security research team has found a security vulnerability in Golang-based applications. Under certain conditions, it lets a threat actor bypass validations based on HTTP request parameters due to the use of unsafe URL parsing.

Want to see what it looks like?

Book a live demo
AICPA - Logo
Solutions
For AppSecFor CISOFor Devs/DevSecOps
Resources
BlogResearchWebinarsTalksCase StudiesDownloadsIn The NewsDocs
Company
About UsEventsCareersPress ReleasesPodcastContact Us
2023 All rights reserved
Privacy PolicyTerms of Service