"foo": "1.0.0 - 2.9999.9999",
"bar": ">=1.0.2 <2.1.2"
Most applications make use of large amounts of third-party components. These components provide everything from logging, templating, database access, and more. This makes developing software much easier and saves a lot of time. But they're also made by people, which means some will inevitably contain vulnerabilities. Read the guideline to find out more.View The Guidelines
Many frameworks also have a set of endpoints that can be enabled which allows for monitoring of the application, whether that's in a production or test/dev environment. These can include:
Security Misconfiguration is somewhat of an umbrella term that covers common vulnerabilities that come into play because of an application’s configuration settings, rather than bad code. It’s a wide-ranging subject and it’s heavily dependent on factors like your technology stack. Often times addressing these issues is something that seems simple, like changing a configuration file or even a single line of code, but the impact and consequences of these vulnerabilities can be severe. Read our guideline to learn more about this vulnerability and how to mitigate it.View The Guidelines
let url = request.params.url;
let response = http.get(url);
let render = response.render();
Server-Side Request Forgery vulnerabilities occur when a user is able to cause an application to make HTTP requests to an attacker-determined domain. If an application has access to private/internal networks, an attacker could also cause the application to make requests to internal servers. We’ll take a closer look at this with some examples to better understand what it looks like in action in this guideline.View The Guidelines
db = mysql.connector.connect
#Bad Practice. Avoid this! This is just for learning.
(host="localhost", user="newuser", passwd="pass", db="sample")
cur = db.cursor()
name = raw_input('Enter Name: ')
cur.execute("SELECT * FROM sample_data WHERE Name = '%s';" % name) for row in cur.fetchall(): print(row)
SQL injection (SQLi) injects code into SQL statements to attack and gather important information from an application. It is a web security vulnerability. It is the most common technique of hacking that manipulates the database and extracts crucial information from it.View The Guidelines
A recent study found that 40% of developers don’t believe they’re receiving enough hands-on security training. Our new Coding Labs (currently in Preview) allows developers to write code at their desired pace in a familiar IDE and receive real-time feedback to ensure they're learning the necessary skills to avoid introducing vulnerabilities into code.
Duis vehicula hendrerit finibus. In hac habitasse platea dictumst. Quisque aliquet, lacus eget feugiat viverra, diam dui dapibus mauris, at vehicula diam sem vitae nibh.
Visit our curated YouTube playlist where you’ll find general software cybersecurity tips as well as insights about current and ongoing cyber-threats and stories from developers about how they got interested in security.
Hear from Prajwal Shetty, senior technical lead, and find out how he developed a passion for security and pursued formal training to develop his career as well as the various secure coding projects he’s working on.
Lexi Condon’s career in security and secure coding began while she was working as a unit tester, but her interest in coding started much earlier than that when she realized she could modify games she played. Hear about how she decided to use these powers for good.
Erik Costlow, Director of developer relations at Contrast Security, shared a few tips on how to consider security at every stage of the development lifecycle so it doesn’t pop up at the last minute and cause delays. He offered three different recommendations on how to do this including dependency analysis, static analysis, and instrumented analysis.
We secure software through developer-driven security at the start of the software development lifecycle.Visit Secure Code Warrior