QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components, CVE-2017-5929 Detail.
OWASP DeepViolet has been included and available in OWASP ZAP for awhile now as an additional add-on component. Briefly the background is that DeepViolet is a TLS/SSL scanning API and set of tools. OWASP ZAP is a Flagship application security scanner and includes some DeepViolet features for it’s TLS/SSL scanning. I decided to post this blog update since it was not clear to me how to use this scanning with ZAP. The following is a short post about how to install and use HttpsInfo(a.k.a DeepViolet) within your ZAP scanning projects.
You understand the value of security penetration testing for your software applications and it’s been successful identifying important vulnerabilities. You do the obvious thing, order more pentesting but in successive tests the arrival rate of new application vulnerabilities soon exceeds your technical teams ability to remediate them. Management and technical teams security vulnerability epiphany soon turns to malaise as security becomes increasingly marginalized in favor of progressing against more tangible objectives – customer facing software features. What happened? Could this have played out differently?
The following Slide Share deck, OWASP DeepViolet TLS/SSL Java API and Tools, is one I provided to Black Hat staff after my live tool demonstration of the OWASP DeepViolet project at the Black Hat 2016 EU London Tools Arsenal. The deck was never shown at the event but I developed it as a way to communicate the value of the DeepViolet quickly to those who many be interested but did not attend.