Exploring de-serialization issues in Ruby projects.

Ruby on Rails is a popular application platform that uses cookies to identify application sessions. The cookie consists of two parts: cookie-value and signature. Whenever Rails gets a cookie, it verifies that the cookie has not been tampered with by verifying that the hash/signature of the...

Application Security Testing — The Wallarm Approach

Testing the security of the corporate applications is a part of every-day life for Ops and DevOps professionals. Larger companies have whole teams dedicated to independent security testing, called Red Teams. These folks use various tools at their disposal to discover the flaws in both application...

Numbers game: Exploring IntegerOverflow vulnerability in a popular nginx web server.

By @aLLy , Wallarm Research There was a very interesting vulnerability discovered in nginx, one of the most popular web/proxy/load balancing servers. This vulnerability leaks information about the application behind the nginx proxy. For example, a specially formed request can retrieve information...

Welcome Our New CMO, Renata Budko

By Ivan Novikov We have ended 2017 with an oomph — having record revenues, on-boarding new marquee Fortune 500 customers and forging new partnerships. We are also growing our team and I would like to welcome Renata Budko joining us as our new Chief Marketing Officer. We’re really excited to have...

What You Should Know About Side-Channel Attacks, Like Meltdown

“The light is on in their window. They must be home.” This is a classic example of a side information channel. They didn’t TELL you they were home. But the side effect of them being home in the evening is the light in the window — which is how you’re pretty sure they are home even though this...

Wallarm Podcast: Security Challenges of 2017 and Predictions for 2018

Right before Christmas, we have invited several security professionals to a roundtable event where we discussed how AI is affecting cybersecurity landscape. While we had them on as panelists, we have asked Richard Seiersen, Bill Chen and Sean Todd to share their views on the biggest security...

OWASP Top 10 2017 is Released

The Journey to the New and Improved Ten Most Critical Web Application Security Risks It was not too long ago that protecting your web server infrastructure consisted of simply placing the servers in their own zone behind the firewall and just opening a couple of ports. Outside of endpoint...

It’s Not Magic — It’s AI

New Whitepaper On How Wallarm AI Works “Any sufficiently advanced technology is indistinguishable from magic,” Arthur C. Clarke Ever wanted to look under the covers of deep learning/artificial intelligence engine? While deep learning algorithms are generally based on neurons combined into a neura...

Wallarm Joins NVIDIA AI Virtual Accelerator

We are thrilled to announce that Wallarm has joined the NVIDIA Inception program, which is designed to nurture startups revolutionizing industries with advancements in AI and data sciences. NVIDIA’s Inception program is a virtual accelerator that helps startups during critical stages of product...

The Good, The Bad and The Ugly of Safari in Client-Side Attacks

I’ve previously published an article about using Safari to compromise a computer file system. Unfortunately, there are more issues with Safari as we are now finding out. In this post, we will take a look at the possibility of a XSS exploit and a cookie compromise stemming from “unusual” Safari...

Richard Seiersen, CISO of Twilio, Joins Wallarm Board of Advisers

We are excited to welcome Richard Seiersen to Wallarm advisory team. Richard brings tons of security experience from both start-ups and global companies and unique views on making the impact of security measurable. We have asked Richard to share some of his thoughts on what’s important in cyber...

The First Step-by-Step Guide for Implementing Neural Architecture Search with Reinforcement…

The First Step-by-Step Guide for Implementing Neural Architecture Search with Reinforcement Learning Using TensorFlow Our team is no stranger to various flavors of AI including deep learning DL. That’s why we’ve immediately noticed when Google came out with AutoML project, designed to make AI bui...

Randy Bias joins Wallarm board of advisers

Menlo Park, California — December 5, 2017 — Wallarm today announced that Randy Bias, Vice President of Technology and Strategy, Cloud Software at Juniper and founder of Cloudscaling acquired by EMC, has joined Wallarm’s board of advisers. “Randy is an agile cloud pioneer and a thought leader in...

AWS re:Invent 2017: Wallarm Delivers its AI-enabled NG-WAF and scanner to AWS Customers

We are thrilled to be sponsoring this year’s AWS re:INVENT in Las Vegas. With many of our customers using AWS infrastructure it is critical for us to provide a frictionless way to protect APIs, applications and micro-services in AWS environments. Filtering nodes for Wallarm’s NG-WAF with Active...

HOWTO: Prevent your AWS credentials and other secrets from being exposed in code repositories

Uber had AWS credentials exposed on GitHub. As thousands of other companies do. It has been known for a while that nuggets such as private keys and credentials can be found with the GitHub search functionality or with Google dorks so looking for sensitive information in GitHub repositories is not...

From Regular Expressions to AI

Three generations of attack detection methodology The oldest and well-studied approach is based on signatures and heuristics. From before the internet times, this approach was implemented in most kinds of detection systems from firewalls to anti-viruses. The second genera- tion represents an...

Horror Stories and Scarecrows of 2017

It is that time of year again when we collectively conjure up ghosts, witches, monsters and other frightening characters for Halloween chills. As children, these scary fiends may have terrified us, but not so much anymore. Yet as adults, we certainly have genuine horror stories that keep us awake...

Major update for Wallarm UI

We’ve just released a couple of features we’re really excited about Live Threat Verification results The Active Threat Verification component was always a unique feature of Wallarm. Having the ability to replay the attack/payload against the application or its staging environment gives our...

Visit Wallarm at AWS re:Invent 2017

Wallarm will present its Application Security solutions at AWS re:Invent in Las Vegas November 27 through December 1st. As a leading provider of AI-driven application security, Wallarm is helping customers running on AWS to implement application security. Wallarm solutions includes high-performan...

Why ArtsSEC decided to partner with Wallarm

by Maximiliano Soler, @maxisoler by Maximiliano Soller, CTO of ArtsSEC The greatest thing with partnerships is how well the organisations’ expertise complement each other. Our partnership with Wallarm has incredibly exceeded our expectations in their innovation and expertise in web application...

Webinar with Rick Orloff, ex CISO of eBay

Join us at 11 am PDT on Wednesday, September 27 for a live frank conversation with Rick Orloff, CSO of Code42 and former CISO of eBay. UPDATE: The recorded webinar is available as a podcast: Rick shared his insights about the changing role of security with new realities of DevOps world, new...

Lessons Learned from the Equifax Disaster

143 million U.S. consumers, Equifax.com users who may have been affected by the the worst data breach in history are receiving all sorts of advice including a free TrustedID product license from Equifax. But despite numerous public reports about the incident, there are still many important...

Top-5 stupid security mistakes in web apps

by Ivan Novikov Image by Byseyhanla Own work CC BY-SA 4.0, article re-posted from In this blog entry, I will summarize some commonly overlooked issues which have been affecting many web projects for the last 5 years. All of them are obvious and super predictable and could be used be script kiddie...

Wallarm to sponsor OWASP AppSec USA

If you are a SecOps or DevOps professional you can not miss the application security event of the year: AppSec USA, September 19–22nd at Disney Coronado Spring Resort, Orlando, FL Use the code: UNLM50WLLRM to register to get $50 discount. You will get great information on the new security tools a...

Not all treasure is silver or gold

How Bug Bounty Programs Help Improve SaaS and Web Security By Captain Jack Sparrow, CC BY-SA 3.0, As many companies who have found themselves victims of a debilitating ransomware attack or major data breach have found out; an ounce of prevention is worth a pound of cure. The same is true for...

Wallarm goes to Singapore

By Leonid iaitskyi. — Own work., CC BY-SA 3.0, What: Hack In The Box GSEC SINGAPORE 2017 When: August 21st — 25th 2017 Where: InterContinental Singapore Why go: REASON 1: Meet Wallam and find out how to extend your security team with AI REASON 2: Go to the talk by Ivan Novikov and find what the...

Threat Intelligence for WAF

It’s all about security rules Stephen Hawking said, “Intelligence is the ability to adapt to change”. One could say much the same of web application firewalls and WAF security rules. With web applications now one of the most attacked components of IT infrastructures, organizations have a critical...

Wallarm at NGINX.conf

Wallarm is proud to be a gold sponsor of NGINX 2017. nginx.conf is an annual conference for technical professionals who are passionate about delivering better application and web performance. The event takes place on September 6–8 at the Nines Luxury Hotel in Portland, OR. Join us at the...

Wallarm CEO Ivan Novikov joins Forbes Technology Council

White hat security professional and entrepreneur Ivan Novikov has joined the Forbes Technology Council, an invitation-only community that serves as a platform for technology leaders to discuss and solve pressing business challenges with their peers and share their insights with readers on...

New from Wallarm Research: First AI-based Tool to Predict Vulnerability Risk

Wallarm Inc., a leading developer of AI-based Web Application security solutions, and Vulners.com, the security database of software vulnerabilities in machine-readable format, today announced the release of a free vulnerability assessment tool that utilizes a unique neutral neural network...

How to use a single download to remotely steal proprietary files from MacOS

by Anton Lopanitsyn Wallarm Research Team Imaging a scary scenario: you open a simple html document, and after a little while, your proprietary files unbeknownst to you find their way to somebody else’s hard drive… Documents, source code, SSH keys, passwords…All the files you, the authorized user...

Meet with Wallarm at BlackHat USA 2017

Meet Wallarm team at BlackHat USA 2017 Start your day with a good cup of coffee and a hearty breakfast at PRESS lounge. Join Wallarm team for breakfast on the last day of BlackHat conference. Meet and network with like-minded white hat security professionals while fueling up for another day of...

Join Wallarm at ISSA’s Cornerstones of Trust event on June 20th

Next week, local chapter of Information Systems Security Association check them out at http://www.sv-issa.org is organizing a focused security conference looking into the issues of securing end users, enterprise technologies and security processes. Come meet Wallarm to learn about trends and best...

Wallarm Finalist at 2017 Red Herring Top 100 North America

LOS ANGELES — 6.06.2017 — Wallarm has been selected as a finalist for Red Herring’s Top 100 North America award, one of the technology industry’s most prestigious prizes. Finalists for the awards are among the continent’s brightest and most innovative private ventures. Their place among North...

What to look for when considering a WAF?

When web based applications become important components of business IP, protecting these applications is a key part of doing business. Most of IT and DevOps professionals are not thinking whether they need a Web Application Firewall WAF. Instead, they are trying to decide which WAF is right for...

Do you think web passwords are the weakest link in security? Indeed they are.

Between 500K and 500M sets of credentials have been compromised over the recent years, according to various sources. Just last week, a compromise of an educational service Edmondo has been reported to expose as many as 78M user accounts. At the same time, individual users are exposed to so many...

Wallarm is Kairos Society fellow!

Do you know what Kairos Society is? Frankly speaking, we had never heard of it until the beginning of the year. Now we’re amazed at how lucky we are. Here is why. What is Kairos society? Kairos team reached out to us by saying that we’re one of the nominees for Top50 Innovative Companies 2017 —...

Is Docker Swarm going to change how we do microservices APIs?

During the DockerCon a couple of weeks ago the new native swarm functionality was one of the highlighted themes. What is a swarm? A swarm is a cluster of Docker engines, or nodes, which acts as an orchestrator, monitor and ingress load balancer for all the services deployed on swarm. The Docker...

Understanding Your Monthly Security Reports

When we first starting a conversation with our prospects, we are frequently asked, “Just how will I know that Wallarm is working?” To help answer that, let’s take a look at the report we sent to one of our customers last week to understand what kind of threats Wallarm defends agains. Wallarm...

Five Reasons Why I Joined Wallarm

By Johan Nordstrom The question of “what made you change jobs?” may be old, but the answer with my move to Wallarm is new and clear. I have a vision how to address the dynamic threat landscape of today and Wallarm’s innovative approach to security is in line with these ideas. In my 30 years caree...

Kong and Wallarm Partner Up to Boost Microservices API Security

Wallarm has partnered with Mashape to provide the microservices community with API security. Mashape enterprise customers who use Kong API gateway can now quickly add API security protection without change in Kong user’s deployment. Read more about Kong and Wallarm partnership in this blog. Today...

The power of Wallarm search engine

In this article I would like to show and explain my personal use cases of the Wallarm search engine. The cool thing about it is human readable search with intuitive commands. Just look at this search command before we start: attacks incidents vulns today RCE 502 For a security engineer looking at...

Wallarm Teams up with NGINX Plus to Provide Advanced Security

Wallarm is excited to be a pioneer security vendor in NGINX Certified Module program and provide trusted and verified security functionality to NGINX Plus customers. “We are pleased to announce that Wallarm is now part of the NGINX Plus Certified Module program with the Wallarm Next Generation WA...

Using WebSocket as your Real Time Protocol? Wallam got you covered.

In the beginning there was http 1 or 2, web pages were static and did not do much beyond displaying static text and images. Life has changed since… Web applications discovered that bi-directional communication between the browser and the web server is essential. Of course, http protocol, with it’...

Google’s lessons in security: bring together security engineering and incident response

Last week during Google Next conference, we have heard an interesting talk where a google security PM, Andy Chang, explained what Google has learned from preventing, detecting and responding to cyber attacks over the years. Not surprisingly, Google is paying a lot of attention to securing the...

How to protect web applications on Google Cloud Platform with WAF?

Many of the developers we speak to are interested in taking advantage of Google Compute Cloud for developing and hosting their web applications. The advantages are many from reasonable costs to built in scalability to high level of availability built right into the platform. However, the develope...

New Struts2 Remote Code Execution exploit caught in the wild

Two days ago Apache has published a fix for the new Remote Code Execution vulnerability in Struts2. Struts2 RCE attacks in the wild This vulnerability allows attacker to execute arbitrary Java code on the application server. We can confirm that caught the first exploit for this vulnerability from...

CIOReview names Wallarm in    “20 Most Promising Enterprise WebApp Solution Providers”

CIOReview names Wallarm in “20 Most Promising Enterprise WebApp Solution Providers” We are glad to be short-listed amongst Top-20 most promising solution providers for the web apps by CIOReview. This is a good illustration of how we are helping enterprises to secure their web apps. The award main...