OWASP Dependency Check for Vulnerability Reporting

John Hoestje Java, Security, Technology Snapshot, Tutorial Leave a Comment

TL;DR: Add OWASP Dependency-Check to your build process to get insight into your dependency vulnerabilities.

Recent major data losses and security vulnerabilities in open source frameworks *(and the applications that use them)* have caused the companies that use those frameworks to have elevated concerns regarding vulnerabilities. The elevated awareness is for good reason, too. After all, no one wants to be the next one to lose sensitive data, be the punching bag of others, or be the example of what *not* to do security-wise.

If you happen to be in a group that doesn’t have any open source vulnerability reporting, OWASP Dependency-Check may be your short-term answer to get at least something in place. Adding OWASP Dependency-Check into your build process takes a relatively low effort. Other than not having the technology that stack Dependency-Check can help you with, there isn’t a reason not to at least add Dependency-Check to give a little insight into your open source dependencies.

The following parts will help you get Dependency-Check integrated into your Java project’s build process. The instructions will be adaptable to the other technologies Dependency-Check supports, like Gradle or JavaScript. Dependency-Check is also available as a command line tool for your favorite OS. In this example, I’ll use a Java project with Maven….



Could the Equifax Hack Have Been Prevented by a Microservices Architecture?

David Pitt Architecture, Java, Microservices, Opinion, Security Leave a Comment

When I heard that the Struts Open Source framework played a role in the recent Equifax hack, I wanted to do some research to understand how it happened. Struts is a commonly-used Java framework that I have applied in the past. And I’m not alone in that: it is reported that in 65% of Fortune 500 companies currently implement Struts in some way.

So, I did a little digging and performed a thought experiment asking myself the following question: “If Equifax had a pure-play Microservices Architecture in place, would it have solved the problem?”



JSON Web Tokens

JSON Web Tokens With Spring Cloud Microservices

Thomas Kendall Java, JavaScript, Microservices, Security 5 Comments

At Keyhole, we have published several blogs about Microservices. We’ve talked about architectural patterns used in a Microservices environment such as service discovery and circuit breaker. We’ve even posted blogs on platforms and tools, such as the recent blog on Service Fabric. One important piece of the architecture that we have glossed over is the security around Microservices. Specifically, authentication …



Don’t just randomize, truly randomize!

Vince Pendergrass Java, JavaScript, Security, Technology Snapshot Leave a Comment

The state of web application cryptography has changed, and each development language provides its own way of working with it. I will touch on the current state of random number generation and the differences found with it within the Java and JavaScript development languages. When designing and building web applications, security concerns obviously play a crucial role. The term security …



Top 10 Web Application Security Risks From OWASP

Todd Horn Security Leave a Comment

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Every few years the organization publishes a top 10 list on web application security risks. First released back in 2003, …