Security in the build pipeline

I’ve already blogged about OWASP Dependency Check or its alternative SourceClear in the past. But there is more you can do about security in a typical (Jenkins) build. Although I’m calling this post “Security in the build pipeline” I’m not actually using the Jenkins pipeline as code feature. Security scans are independent of that, so […]

SRC:CLR revisited

I was approached by SourceClear a little while ago to have another look at their dependency vulnerability scanner after my first blog post on their service. Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed: […]

Finding vulnerabilities in third party libraries

I’ve already blogged about OWASP Dependency Check as a Jenkins plug-in a little while ago. With SRC:CLR, a new web based alternative might be available. To use it, simply register via GitHub login and follow the installation instructions for your operating system. After installation, execute a scan via command line: srcclr scan –url https://github.com/dschadow/JavaSecurity.git The […]

Using OWASP Dependency Check as Jenkins plugin

OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs. One downside is that as default, every build job downloads and regularly updates its own National Vulnerability […]

Free web application vulnerability scanner for Eclipse

Contrast released Contrast for Eclipse 1.0 already a little while ago. The Eclipse plug-in works as a runtime security scanner and checks for security vulnerabilities in your web application while executing it in Eclipse. Promised by Contrast on Eclipse Marketplace is an Automated detection of OWASP Top 10 vulnerabilities. This is the first free tool […]

Using security response headers with WordPress

I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content: Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options DENY Header set X-Content-Type-Options “nosniff” Header set Strict-Transport-Security “max-age=31556926” Header set Cache-Control “no-store, no-cache, must-revalidate” Only one header was […]

JSF stateless views and CSRF protection

JavaServer Faces (JSF) – especially since version 2.2 – provides a good Cross-Site Request Forgery (CSRF) protection. To achieve this, every form automatically receives a random hidden token: Nothing more to do for the developer, JSF takes care of comparing the token’s value against the one stored in the server side session. Without the correct […]