OWASP DeepViolet has been included and available in OWASP ZAP for awhile now as an additional add-on component.  Briefly the background is that DeepViolet is a TLS/SSL scanning API and set of tools.  OWASP ZAP is a Flagship application security scanner and includes some DeepViolet features for it’s TLS/SSL scanning.  I decided to post this blog update since it was not clear to me how to use this scanning with ZAP.  The following is a short post about how to install and use HttpsInfo(a.k.a DeepViolet) within your ZAP scanning projects.

Read more

Java Chief Architect Mark Reinhold posts…

Create a secure, private forum in which trusted members of the OpenJDK Community can receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes. Ensure that information flows efficiently, in both directions, between this forum and Oracle’s internal security teams. Encourage the forum to be used for other OpenJDK security-related discussions as needed.

Continue reading, Proposal: OpenJDK Vulnerability Group

The following Slide Share deck, OWASP DeepViolet TLS/SSL Java API and Tools, is one I provided to Black Hat staff after my live tool demonstration of the OWASP DeepViolet project at the Black Hat 2016 EU London Tools Arsenal.  The deck was never shown at the event but I developed it as a way to communicate the value of the DeepViolet quickly to those who many be interested but did not attend.

OWASP Dependency Check 1.4.3 released.  Following is the announcement from the OWASP Leader’s List,
dep-check
OWASP dependency check is a great tool to include in you CI automation suite.  Use dependency check to alert on known insecure libraries your developers are using and encourage moving to libraries with less known vulnerabilities.