The Qwiet blog

For companies writing and maintaining software at scale today, SAST (Static Application Security Testing) tools have become essential for increasing code security and reducing cyber risk. First-party code remains a frequent target for attacks on all types of organizations, with attackers probing applications constantly to look for weaknesses and vulnerabilities, known and unknown. A wide […]

Open Source Software (OSS) is at the core of today’s information technology. About 80% of companies run their operations on OSS and 96% of applications are built using open source components. Most of today’s commercial products are shipped with some OSS libraries. This also means that securing open source dependencies and fixing open source vulnerabilities […]

Apache log4j2 is one of the most widely utilized logging library in the Java ecosystem. Many applications depend on log4j that include and are not limited to VMware, Apple, Twitter, Minecraft to plethora of open-source projects like Apache Solr, Apache Druid, and many more. On November 30, 2021, the Apache log4j2 team became aware of […]

On 9 December 2021, Apache disclosed that the Log4j 2 utility contains a critical vulnerability that allows unauthenticated remote code execution (RCE), a serious issue that impacts a large number of applications. This post is coauthored by Chetan Conikee, Fabian Yamaguchi, and Katie Horne. What is affected? Log4j is a popular open source logging package […]

When learning how to find, exploit, or prevent different types of security vulnerabilities, you’ll want to understand the vulnerability’s root causes and what happens to an application when it’s exploited. Today, we’ll talk about remote code execution (RCE), it’s mechanisms, and how you can spot it in source code. Remote code execution and command injection […]

Java was originally designed with security in mind, which makes its present-day reputation for being insecure unfortunate. Yet it is probably inevitable that the flaws of a twenty-five-year-old language would be discovered and exploited. Especially with a language like Java which still ranks among the top three most popular programming languages today. Java is not […]

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting. Thankfully, most real-life vulnerabilities share the same root causes. And by studying these common vulnerability types […]

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.