Strong and not-so strong sides of using it for your SAST benchmarks… There’s no escape. When you are choosing a Static Application Security Testing (SAST) tool, a comparison is a must for measuring speed, accuracy, usability… There are many sides to this comparison and a sample application is usually used…

Principle of Least Privilege in Action — Evaluating an input is a requirement for most of the custom web, mobile or desktop applications let alone popular frameworks. In this post, focusing on Spring Expression Language (SpEL) we’ll try to explain the concept of least privilege as a mechanism to prevent any unlawful behavior through expression language evaluation…

What is it & how to dodge? — A vulnerability has been disclosed on Spring Framework which leads to remote code execution. A CVE is assigned to it recently with the code CVE-2022–22965. In this small post, we will try to give some details of the vulnerability and exploitation, however, we will also try to shed some light…

Archimedes, Galileo, Kepler and Newton. Just a few great minds of human advancements. There’s a keen and distinguished characteristics of these giant leapers which all of the developers should try to learn and apply what they do in order to produce rock solid secure applications. What makes these scientists/philosophers and…

No development advice. — Your company has the security scanning tools. Tools are executed on your applications. And they produce findings. But guess what? Mitigating these issues is pain in the neck. You may just wish these findings to disappear instead of spending time to understand and mitigate them. If you are a developer…

HTTP Parameter Pollution — There are a ton of weaknesses a developer should be aware of. A hacker’s job is to find and exploit these weaknesses. If, as developer, you feel that it is hard and uncalled for to keep-up and understand each and every one of these hacks, there’s good news. If you…

Security analysis of an example code — ProcessBuilder is a Java class used to create Operating System processes. Therefore, needless to say, when coded insecurely it leads to serious security risks. In this post, we will go over an example code block utilizing ProcessBuilder and reveal a few security code best & bad practices through the analysis. …

Read this and count to 10 if you feel you have to… — It’s not infrequent across developers to posit a certain claim that may cause more harm than good. Upon a task that can be fulfilled by searching and finding quality solutions already existed, we most deservedly think that “I’m clever, I can write one”. But, why is it a bad idea…

Geliştirme tavsiyesi değildir. — Zaman zaman sorumlu olduğunuz sistemler ile ilgili karşınıza çıkan güvenlik tarama araçlarının bulguları kuvvetle muhtemel canınızı sıkıyordur. Network, veritabanı uzmanı, developer, uygulama sunucu yöneticisi yani daha modern bir tabir ile DevOps sürecinin bir parçasıysanız, kim bilir belki de olur olmaz zamanlarda üzerinize atanmış güvenlik bulgularını anlayıp, çözmek yerine yok olmalarını…