OWASP Top 10 and Software Composition Analysis (SCA)

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn the analyzer into a full SCA solution. How will the analyzer look for vulnerabilities in the components used? What is SCA? Let’s try to find the answers in this article!

Continue reading

OWASP, vulnerabilities, and taint analysis in PVS-Studio for C#. Stir, but don’t shake

We continue to develop PVS-Studio as a SAST solution. Thus, one of our major goals is expanding OWASP coverage. You might ask, what’s the use when there’s no taint analysis? That’s exactly what we thought – and decided to implement taint analysis in the C# analyzer. Curious about what we accomplished? Read on!

Note. This article briefly touches upon the topics of SQL injections and working with SQL in C#. This theory serves as context. For in-depth information on these topics, do additional research.

Continue reading

Do Not Confuse Web Application Firewall and Next-Generation Firewall

GUEST POST

Author David Balaban

Some information security specialists confuse the concepts of WAF and NGFW. Moreover, even some representatives of companies manufacturing products positioned as NGFW commit this fault.

“We have an NGFW, do we need a WAF?” or “Why do we need WAF?” are very common questions. This calls for figuring out the background of such confusion, agreeing once and for all on the terms and definitions, and determining the areas of application of each concept.

Continue reading