There are a ton of weaknesses a developer should be aware of. A hacker’s job is to find and exploit these weaknesses. If, as developer, you feel that it is hard and uncalled for to keep-up and understand each and every one of these hacks, there’s good news.

If you can follow a handful of best practices in software security, the majority of these weaknesses will go away automatically. …

ProcessBuilder is a Java class used to create Operating System processes. Therefore, needless to say, when coded insecurely it leads to serious security risks. In this post, we will go over an example code block utilizing ProcessBuilder and reveal a few security code best & bad practices through the analysis.

So, without further ado here’s the code block;

String path = "C:\\Windows\\system32\\cmd.exe";ProcessBuilder pb = new ProcessBuilder(path);
pb.command().add("/c");
pb.command().add("ping.exe");
pb.command().add(userInput);Process pingProcess = pb.start();

Let’s read and comment on this simple code. It takes a user input (userInput) as an argument and executes ping command with it.

Let’s see what…

It’s not infrequent across developers to posit a certain claim that may cause more harm than good. Upon a task that can be fulfilled by searching and finding quality solutions already existed, we most deservedly think that “I’m clever, I can write one”.

But, why is it a bad idea to device a new algorithm instead of using an already existing one?

After all, if it’s all about correctness, the existing ones could be fallacious as well. Because, the stakes are high for mistakes. …

Zaman zaman sorumlu olduğunuz sistemler ile ilgili karşınıza çıkan güvenlik tarama araçlarının bulguları kuvvetle muhtemel canınızı sıkıyordur. Network, veritabanı uzmanı, developer, uygulama sunucu yöneticisi yani daha modern bir tabir ile DevOps sürecinin bir parçasıysanız, kim bilir belki de olur olmaz zamanlarda üzerinize atanmış güvenlik bulgularını anlayıp, çözmek yerine yok olmalarını dilemiş olabilirsiniz.

Developer iseniz doğru yerdesiniz. Bu yazıda, özellikle statik uygulama güvenlik testi (SAST) araçlarının bazı bulgularını düzeltmeden, nasıl kaçınabileceğinizi anlatmaya çalışacağım.

Sadece yukarıdaki son cümle bile bir güvenlik uzmanının tüylerini diken diken etmeye yetecektir. Dolayısıyla bütün şimşekleri üstümüze çekmeden sorumluluk reddini şuraya bırakalım;

Bu yazıda listelenen veya ima edilen…

This one and a half year has been packed with security centric static program analysis for the CodeThreat team. After all this time, we have come to know that designing and implementing a scalable, flexible and soundish code analysis solution is a highly challenging task. This is Bedirhan, and in this post I’ll try to bring in some perspective on how the project and the team progress and what expects us in the near future for which a historical view of the project annotated with experience is a meaningful route to follow.

Bootstrapping with Passion

First of all the core team is in…

All automated testing solutions produce results when run against a target system. That’s expected. What’s more interesting about this process is that we want these results to be as related as possible; we don’t want false alarms.

False alarms or in more technical terms false positives (FPs) are the anticipated byproducts of any automated testing. But, what makes a static application security tool to produce them? In this post, we’ll try to pinpoint some of the key sources of FPs and what the tools do about this situation.

The obvious reason that nobody likes false alarms is that because they…

Static and dynamic application security testing, called SAST and DAST respectively, are compared to each other once in while. Both being quite different automated solutions with the same goal, this is understandable. It’s important to understand that these technologies are not replaceable with one another. This is Bedirhan and in this post we will go through a discussion why this is so. Let’s dig in to find out more…

Here’s the key difference between the two technologies; static security testing is executed on applications that are not running, these tools work on the code resting, hence the name static. …

Not a single developer, analyst, project manager or business owner want to own an insecure software. Just like customers would never want to trust any insecure application with their valuable data. Having or using a rock solid secure application is a desired thing, but is it possible at all and what can we do about it?

This is Bedirhan from the CodeThreat team, and in this post I’ll try to pinpoint difficulties of producing a secure software. First thing first; the number of new vulnerabilities published each year has a quite disturbing but factual outcome;

It is pretty hard to…