Appsec

Components with Known Vulnerabilities Most developers don't even know what all is in their dependency tree. Sadly, most successful attacks are not the exciting "zero day, rush to patch before they get it" kind of thing. Most attacks are mundane. pattern: use your build tool to extract a report of ALL the artifacts that went into your build (including build tool’s plugins) pattern: check CVE manually weekly or automatically (src:...

XML external entity (XXE) injection <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "<file:///etc/passwd>"> ]> <foo>&xxe;</foo> Most xml parsers are vulnerable to XXE injection by default. You need to configure them to be safe (src: Book_ release it! - Michael Nygard)