Just recently, our open-source fuzzing engine Jazzer found an Expression DoS vulnerability in Spring (CVE-2023-20861). Now, three weeks later, Jazzer found another similar Expression DoS in the Spring framework, labeled CVE-2023-20863. This new finding has an even higher CVSS score of 7.5 (high), compared to the previous finding which came in at 5.3 (medium).

Security testing is increasingly viewed as an essential part of the software development lifecycle (SDLC). Traditionally, agile software development has focused on development velocity, rapid market feedback, and delivering high quality products and services. However, software that's vulnerable to cyber attacks is not valuable to end users and creates huge risks for both customers and software vendors. This makes it critical to integrate security testing into the software development process.

Fuzz testing is a popular testing approach used to find bugs in C/C++ and embedded software, particularly memory corruptions. It has proven effective for identifying obscure bugs that are difficult to find through other testing methods. This testing approach is increasingly being adopted by automotive companies to comply with new security standards, save time, mitigate costs, and improve software quality. Let's have a look at how fuzzing is helping all of these automotive companies.

Polaris Software Integrity Platform® – a SaaS application security testing solution delivering speed without compromise. Faster, faster, faster. The pressure is on to do business faster, to develop faster, and to secure all of this with faster and faster AppSec. Businesses want to release products, services, and apps to their customers on shorter and shorter release cycles.

Unit tests are indispensable to check and prove that our code functions properly. But in unit testing, we only test the scenarios that we are aware of. However, there are scenarios unknown to us that lead to security vulnerabilities or performance problems. To address these scenarios, you can add fuzz tests in order to effectively find security, reliability, and even logic bugs in your code.

Java is widely used for developing web applications and relies heavily on APIs (Application Programming Interfaces). Therefore, API testing is a critical practice, as it ensures seamless functionality, compatibility, security, and performance while facilitating integration and simplifying debugging.

Production-safe DAST with WhiteHat Dynamic enables critical security scans in the software production environment. Software powers modern businesses, but these ever-evolving applications and systems can also include vulnerabilities that threat actors can exploit to disrupt, threaten, and steal critical data. But fear not: Robust security processes can mitigate most of these risks and ensure that new features and updates are properly tested.

As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861). Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.