Collaborate Disseminate
Only doing basic analysis and dynamic analysis an executable file’s obfuscated strings has to be determined and plaintext version of those needs to be found. No disassembler is allowed. So I looked at the entropy values first and exe is no… Continue reading Trying to find obfuscated strings and their plaintext in pe file
A company’s licensing change to a static analysis tool has forced 10 companies together to create Opengrep.
The post Open-source security spat leads companies to join forces for new tool appeared first on CyberScoop.
Continue reading Open-source security spat leads companies to join forces for new tool
Using SAST / SCA tools within the delivery pipelines is quite common these days; however, in the software my teams are building, the SAST tools that we’re using are very rarely finding even relatively important security gaps – for the most… Continue reading Is there evidence that using SAST / SCA brings positive ROI to software companies?
One of the key questions when investigating the security of software and libraries is what are the dangerous sinks? What functions are potentially dangerous, if called with untrusted data?
It would be helpful when auditing source code to h… Continue reading Is there a machine-readable way to document dangerous sinks in libraries?
When thinking about loops in programming languages, they often get simplified down to a conditions section and a body, but this belies the dizzying complexity that emerges when considering loop …read more Continue reading Misconceptions About Loops, or: Static Code Analysis is Hard
I’m working on a Go application where I’m using http.NewRequestWithContext to make outgoing requests. During a recent Veracode scan, I received an SSRF (Server-Side Request Forgery) flag for the following line:
req, err:= http.NewRequestWi… Continue reading Veracode SSRF Flag for http.NewRequestWithContext: Mitigating Risk in My Go Application
As you know, using machine learning we can detect malware.
We can use dynamic analysis based on WinAPI function calls and their arguments.
But what about static analysis using machine learning? In this case, we can parse Portable Executabl… Continue reading Static malware analysis using machine learning
What tools are necessary for static-analysis taint-based vulnerability detection? For example, being able to find/search source-sink paths through a tainted variable, flexibility to choose flow sensitive/insensitive analysis, etc.
I realiz… Continue reading Required features for taint-based vulnerability tools? [closed]
it is my first time with MobSF and Android APK assessment. I have found something while testing a specific APK and I am trying to understand the concept behind it:
Under HARDCODED_SECRETS in MobSF, was found a pair of KEY/SECRET related to… Continue reading MobSF Android Activity APK Pentest
I am working on testing multiple code review tools and what to know if there are any free vulnerable code projects that I can run my scanning tools against and compare the results of each tool. I am mostly aiming at projects using .NET/C# … Continue reading Vulnerable Projects to Test and Compare Code Review Tools [closed]