SRC:CLR revisited

I was approached by SourceClear a little while ago to have another look at their dependency vulnerability scanner after my first blog post on their service. Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed:… Continue reading SRC:CLR revisited

Finding vulnerabilities in third party libraries

I’ve already blogged about OWASP Dependency Check as a Jenkins plug-in a little while ago. With SRC:CLR, a new web based alternative might be available. To use it, simply register via GitHub login and follow the installation instructions for your operating system. After installation, execute a scan via command line: srcclr scan –url The… Continue reading Finding vulnerabilities in third party libraries

JavaOne 2015 Retrospective

Thanks to bridgingIT – the great company I’m working for – I was able to attend my third JavaOne conference in San Francisco this year, including the presentation of two of my own talks: A well attended The Web Application Strikes back on Monday and an almost packed room for Java Web Security Antipatterns on… Continue reading JavaOne 2015 Retrospective

Categorized as General

JavaOne 2015 Session Information

In case you will attend JavaOne in San Francisco end of October… Session scheduler is just around the corner, my two sessions are scheduled for the following dates and locations: Session Type: Conference Session Session ID: CON2022 Session Title: The Web Application Strikes Back Venue / Room: Hilton – Plaza Room B Date and Time:… Continue reading JavaOne 2015 Session Information

Categorized as Events

Using OWASP Dependency Check as Jenkins plugin

OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs. One downside is that as default, every build job downloads and regularly updates its own National Vulnerability… Continue reading Using OWASP Dependency Check as Jenkins plugin

Free web application vulnerability scanner for Eclipse

Contrast released Contrast for Eclipse 1.0 already a little while ago. The Eclipse plug-in works as a runtime security scanner and checks for security vulnerabilities in your web application while executing it in Eclipse. Promised by Contrast on Eclipse Marketplace is an Automated detection of OWASP Top 10 vulnerabilities. This is the first free tool… Continue reading Free web application vulnerability scanner for Eclipse

JavaOne 2014 retrospective

JavaOne 2014 is over, and it has been a fantastic experience! Better than my first attendance 2012. Most sessions had a higher quality, JavaHub was fantastic (I just love the Nao robot), enjoyed Geek Bike Ride and met a lot of new and interesting Java developers. The only mixed feelings I have are about both… Continue reading JavaOne 2014 retrospective

Categorized as Events, Java

Using security response headers with WordPress

I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content: Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options DENY Header set X-Content-Type-Options “nosniff” Header set Strict-Transport-Security “max-age=31556926” Header set Cache-Control “no-store, no-cache, must-revalidate” Only one header was… Continue reading Using security response headers with WordPress

Keep Your X-Frame-Options header a little while longer

So Mozilla has decided to deprecate the X-Frame-Options header to avoid clickjacking or UI redressing attacks (have a look in the page history, the first version used a much stronger language). This header was never standardized (as the leading X indicates), but is supported in all browsers (yes, in ALL browsers, with the exception of… Continue reading Keep Your X-Frame-Options header a little while longer