Daniel Abeles and Gal Goldshtein from Oxeye present on their discovery of a remote code execution (RCE) vulnerability in the popular developer portal, Backstage, developed by Spotify, at BlueHat IL
When Dick Fosbury won the Olympic gold medal in the high jump in Mexico City in 1968, it was the first time that most of the world had ever seen his style of jumping, and it revolutionized the sport. What appeared to be novel at the time - jumping while leading with his back, instead of the conventional forward-facing straddle or roll - was soon copied pervasively. How does that apply to AppSec? Read on....
Oxeye's CTO and co-founder, Ron Vider, presents on the OWASP Cloud-Native Application Security Top 10 Flagship Project
Chris Romeo joins our CEO, Dean Agron to discuss the modern-day role and relevance of 'Shift Left', and the need for a more contemporary look at people, processes and technologies that will enable more effective and efficient AppSec for developers and security engineers
Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. The Oxeye AppSec platform automatically found a vulnerability in Hashicorp's Vault project without any manual input. In certain conditions, it allows attackers to execute code remotely on the target system through an SQL injection attack.
The 'Inception' movie provides a cautionary tale about the future of software vulnerabilities. We dive into the why and how in this blog post.
We provide a list of three key takeaways from the latest market report for Cloud Native Application Protection Platforms (CNAPP) from Gartner
Ory Segal, CTO of Prisma Cloud at Palo Alto Networks and Ron Vider, CTO of Oxeye, talk about CNAPP, and the convergence of application security and cloud security
Jim Manico and Dean Agron discuss the future of application security and why legacy SAST and DAST tools do not work for modern, distributed applications
We talked to a lot of application security and cloud security owners this year. Here are our predictions based on those conversations.
For many years, traditional Software Composition Analysis (SCA) tools have been the go-to for dealing with vulnerabilities in open source packages.
The Oxeye research team has found a critical vulnerability in Spotify’s open source, CNCF-incubated project — Backstage. We reported this via Spotify’s bug bounty program and it was rapidly patched in version 1.5.1. It ranked this critical vulnerability with a CVSS score of 9.8.
The Oxeye research team has found a critical remote code execution vulnerability in the popular sandbox library VM2 - CVE-2022-36067
The Oxeye research team recently found several high severity insecure direct object reference (IDOR) vulnerabilities in Harbor – a CNCF-graduated, open source artifact registry.
Bridging the gap between security findings and developers has never been easier.
Oxeye’s security research team has found a security vulnerability in Golang-based applications. Under certain conditions, it lets a threat actor bypass validations based on HTTP request parameters due to the use of unsafe URL parsing.
An unraveling of OpenTelemetry’ internals through a hands-on experience.
A software bill of materials is a list of all building blocks comprising an application – both the open source and commercial libraries.
The shift to cloud-native development affects several important aspects related to application security.
Software Composition Analysis (SCA), identifies known vulnerabilities in 3rd party open source software components. It is not enough to assure that your apps are free from application layer vulnerabilities.
Why Legacy IAST Tools Will Fail Miserably When Testing Cloud-Native Web Applications.
Responsibility for App Security is no longer in the hands of one-owner, it’s a joint effort. App security is distributed to many groups and to different roles - Developers, AppSec and DevOps. So who’s incharge of security? And how to do it right.
Static application security testing tools (SAST), fail to provide the security measures required for cloud native apps. They lack context and are often limited to only one programming language, framework, or sets of libraries.
Dynamic Application Security Testing tools (DAST), and why they fail to successfully test cloud native apps for code vulnerabilities. DAST tools lack the visibility into the communication layer of both app, container and cloud.
Recently, Oxeye’s research team discovered several scenarios where sensitive data was leaked through tracing and telemetry collection within cloud-native applications.
Herein is an overview of AST and the challenges that DAST, SAST, IAST, and SCA tools face when assessing vulnerabilities in cloud native applications.
Which approach should application security teams take to protect against log4shell. Oxeye helps identify, mitigate and provides context to the Java logging package Log4j vulnerability also called LogJam CVE-2021-44228.
Given the intricacies of cloud native apps, it's critical for organizations to prioritize security during their build phase
OpenTelemetry is an open-source project by the Cloud Native Computing Foundation (CNCF).
Cloud native application vulnerabilities are not singular events, but rather complex flows. Our blog brings a few real-life examples from Shopify.
Over 500 million applications will be deployed using cloud-native approaches by 2023, according to IDC.
Eliminate uncertainty from the application security process, and save your development and AppSec teams time.