Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!
The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.
This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.
The document discusses recent trends in cyber security. It begins with threat statistics showing a rapid expansion of the cyber security landscape, with the number of data breaches and records exposed increasing significantly each year. It then provides a technical overview of the top threats such as mobile application vulnerabilities, XML entity expansion attacks, SQL injection, and improper use of HTTP headers. The document also covers education and certification opportunities in cyber security, individual research areas, the local job market, and communities like Colombo White Hat Security.
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...Rakuten Group, Inc.
This document summarizes a presentation about integrating security checks into continuous integration workflows. It discusses recent security incidents like Heartbleed and Shellshock to demonstrate that regular security updates are needed. It promotes testing applications continuously using CI tools rather than just before release. Open-source security scanning tools like OWASP ZAP and Nmap are presented for checking web applications and infrastructure as part of CI pipelines. The document also introduces Walti.io as a service for easily running security scans from a dashboard at a low cost in a continuous manner.
Codeception Testing Framework -- English #phpkansaiFlorent Batard
The document discusses introducing Codeception, a PHP testing framework. It begins with an agenda that includes a presentation on Codeception, different test types, a demonstration, and best practices. It then introduces the speaker, Florent Batard, who is a security engineer and web developer from France. He explains why testing is important for reducing assumptions and validating that code runs as expected. The bulk of the document then focuses on Codeception, explaining what it is, how it works, the different types of tests it supports including acceptance, functional, and unit tests, and how to install and use it. Code examples are provided and it concludes with referencing materials and opening the floor for questions.
The document discusses recent trends in cyber security. It begins with threat statistics showing a rapid expansion of the cyber security landscape, with the number of data breaches and records exposed increasing significantly each year. It then provides a technical overview of the top threats such as mobile application vulnerabilities, XML entity expansion attacks, SQL injection, and improper use of HTTP headers. The document also covers education and certification opportunities in cyber security, individual research areas, the local job market, and communities like Colombo White Hat Security.
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
Ведущие: Сергей Франкофф и Шон Уилсон
Сортировка вредоносного ПО представляет собой процесс быстрого анализа потенциально опасных файлов или URL. Любая тщательно продуманная система реагирования на инциденты безопасности обладает этой важной функцией. Но что, если у вас не установлена программа реагирования на инциденты? Как быть, если вы только начали ее настраивать? А вдруг у вас нет программных средств для проведения анализа? Грамотно выбранный бесплатный онлайн-инструмент, веб-браузер и блокнот — вот все, что вам пригодится. На мастер-классе участники самостоятельно будут заниматься сортировкой вредоносного ПО. Ведущий предоставит информацию о необходимых инструментах.
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting.
We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in reducing security issues in Java.
The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.
[Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Cont...Rakuten Group, Inc.
This document summarizes a presentation about integrating security checks into continuous integration workflows. It discusses recent security incidents like Heartbleed and Shellshock to demonstrate that regular security updates are needed. It promotes testing applications continuously using CI tools rather than just before release. Open-source security scanning tools like OWASP ZAP and Nmap are presented for checking web applications and infrastructure as part of CI pipelines. The document also introduces Walti.io as a service for easily running security scans from a dashboard at a low cost in a continuous manner.
Codeception Testing Framework -- English #phpkansaiFlorent Batard
The document discusses introducing Codeception, a PHP testing framework. It begins with an agenda that includes a presentation on Codeception, different test types, a demonstration, and best practices. It then introduces the speaker, Florent Batard, who is a security engineer and web developer from France. He explains why testing is important for reducing assumptions and validating that code runs as expected. The bulk of the document then focuses on Codeception, explaining what it is, how it works, the different types of tests it supports including acceptance, functional, and unit tests, and how to install and use it. Code examples are provided and it concludes with referencing materials and opening the floor for questions.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Modern Web Security, Lazy but Mindful Like a FoxC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2hYU0cd.
Albert Yu presents a few viable, usable and effective defensive techniques that developers have often overlooked. Filmed at qconsf.com.
Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment.
This document provides an overview of application security and the Open Web Application Security Project (OWASP). It discusses what OWASP is, its history and Top 10 list. It also provides resources for learning application development, security testing tools like Nikto and ZAP, and places to learn about application security for free like OWASP itself. The presentation concludes by emphasizing the need for application security practitioners and thanking attendees.
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
- The document discusses building an effective security team and program. It recommends getting organizational buy-in, building a team through involvement in meetups and open source contributions, and shifting security left through training developers in secure coding practices like code reviews that focus on common vulnerabilities. It also emphasizes the importance of successful vendor adoption through integration and embedding security engineers with development teams.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This document discusses deploying code directly to production using a "scientist approach" with experiments. It introduces the speaker and defines deploying directly as making developers owners of their own code who can deploy and rollback changes. It advocates for smaller, more frequent changes and discusses fail fast/fix fast principles. The rest of the document describes using the Scientist framework which allows experimenting with live code changes without risk through techniques like branch by abstraction, feature flags and canary deployments.
You've heard all about what microservices can do for you. You're convinced. So you build some. Reasoning about your functionality is way easier: these services are so simple! Then you get to the point where you have 35 microservices, and all the monitoring and alerting tactics you used for your monoliths are a complete disaster. Something needs to change and this talk will explain what and how.
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
Remember the choose your own adventure books that you used to read as a kid? This session is a reincarnation of a choose your own adventure book as a conference talk!
You'll learn about Spring Boot, Docker, and Kubernetes in this talk, along with the choices you make in the following areas:
* What kind of application architecture to build? Monolith or microservices?
* Would you like to use Java or Kotlin?
* MySQL, PostgreSQL, or MongoDB?
* Spring MVC or Spring WebFlux?
* Angular, React, or Vue.js?
* PWA or mobile app?
* Istio with Kubernetes or Kubernetes without Istio?
GitHub repos of demos:
* Monolith: https://github.com/mraible/healthy-hipster
* Microservices: https://github.com/mraible/ujug-microservices
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunk
Splunk Security Essentials provides concise summaries in 3 sentences or less that provide the high level and essential information from the document. The document discusses an introductory presentation on security analytics methods. It includes an agenda that covers an introduction to analytics methods, an example scenario, and next steps. It also discusses common security challenges, different analytics methods and types of use cases, and how analytics can be applied to different stages of an attack.
The document summarizes a talk on using the MITRE ATT&CK framework to guide threat hunting and detection efforts. It provides an overview of ATT&CK, describes how to perform a preliminary assessment to prioritize techniques, and discusses using open source projects mapped to ATT&CK to improve coverage. It also cautions that alerting and hunting require different approaches, and that false positives should be addressed through dashboards rather than stopping detection development.
The presentation paper will touch on our recent contribution to improve the current WordPress security ecosystem. WordPress in itself has grown from just being a Blogging platform to a full-fledged CMS Application and hence people are increasingly using it for multitude of projects or purposes. WordPress Ecosystem has recently been targeted with large number of security issues and we have witnessed the whole depth and breadth of OWASP top 10′s being exploitable in multiple instances. Today’s statistics on WordPress show that there are more than 28000+ plugins and close to 2000+ Themes. However from a security standpoint we have also seen a painful growing trend of the issues that crop-up with both WordPress core as well as the plugin and theme sections. We have decided to stop being a spectator and contribute to the cause and hence we are doing the following activity which will be part of the final outcome:
Analyze the existing vulnerabilities and new issues being reported on a regular basis.
Identify new issues within the plugin and themes (WordPress core we are targeting as a secondary target), report the issue, get the patch released or get the plugin closed on the WordPress repository. The Research/presentation will also describe methods of automating ways to discover vulnerabilities on the entire 28K list of plugins and 2K Themes.
We will strive to get the issues fixed and then only release the details. However, in case the plugin/theme author is not responding and we can only get the plugin closed then we will go ahead with the disclosure in order to get this issue out in public. The final outcome / presentation will touch base on the vulnerability landscape, common issues and quick fixes for those issues and will also coincide with a comprehensive guideline for developers to protect their own plugin’s. We will be updating all our vulnerabilities on our website (will be disclosed) as and when they are patched.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
More Related Content
Similar to [cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All by Jonathan Leitschuh
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Modern Web Security, Lazy but Mindful Like a FoxC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2hYU0cd.
Albert Yu presents a few viable, usable and effective defensive techniques that developers have often overlooked. Filmed at qconsf.com.
Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment.
This document provides an overview of application security and the Open Web Application Security Project (OWASP). It discusses what OWASP is, its history and Top 10 list. It also provides resources for learning application development, security testing tools like Nikto and ZAP, and places to learn about application security for free like OWASP itself. The presentation concludes by emphasizing the need for application security practitioners and thanking attendees.
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
- The document discusses building an effective security team and program. It recommends getting organizational buy-in, building a team through involvement in meetups and open source contributions, and shifting security left through training developers in secure coding practices like code reviews that focus on common vulnerabilities. It also emphasizes the importance of successful vendor adoption through integration and embedding security engineers with development teams.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This document discusses deploying code directly to production using a "scientist approach" with experiments. It introduces the speaker and defines deploying directly as making developers owners of their own code who can deploy and rollback changes. It advocates for smaller, more frequent changes and discusses fail fast/fix fast principles. The rest of the document describes using the Scientist framework which allows experimenting with live code changes without risk through techniques like branch by abstraction, feature flags and canary deployments.
You've heard all about what microservices can do for you. You're convinced. So you build some. Reasoning about your functionality is way easier: these services are so simple! Then you get to the point where you have 35 microservices, and all the monitoring and alerting tactics you used for your monoliths are a complete disaster. Something needs to change and this talk will explain what and how.
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
Remember the choose your own adventure books that you used to read as a kid? This session is a reincarnation of a choose your own adventure book as a conference talk!
You'll learn about Spring Boot, Docker, and Kubernetes in this talk, along with the choices you make in the following areas:
* What kind of application architecture to build? Monolith or microservices?
* Would you like to use Java or Kotlin?
* MySQL, PostgreSQL, or MongoDB?
* Spring MVC or Spring WebFlux?
* Angular, React, or Vue.js?
* PWA or mobile app?
* Istio with Kubernetes or Kubernetes without Istio?
GitHub repos of demos:
* Monolith: https://github.com/mraible/healthy-hipster
* Microservices: https://github.com/mraible/ujug-microservices
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunk
Splunk Security Essentials provides concise summaries in 3 sentences or less that provide the high level and essential information from the document. The document discusses an introductory presentation on security analytics methods. It includes an agenda that covers an introduction to analytics methods, an example scenario, and next steps. It also discusses common security challenges, different analytics methods and types of use cases, and how analytics can be applied to different stages of an attack.
The document summarizes a talk on using the MITRE ATT&CK framework to guide threat hunting and detection efforts. It provides an overview of ATT&CK, describes how to perform a preliminary assessment to prioritize techniques, and discusses using open source projects mapped to ATT&CK to improve coverage. It also cautions that alerting and hunting require different approaches, and that false positives should be addressed through dashboards rather than stopping detection development.
The presentation paper will touch on our recent contribution to improve the current WordPress security ecosystem. WordPress in itself has grown from just being a Blogging platform to a full-fledged CMS Application and hence people are increasingly using it for multitude of projects or purposes. WordPress Ecosystem has recently been targeted with large number of security issues and we have witnessed the whole depth and breadth of OWASP top 10′s being exploitable in multiple instances. Today’s statistics on WordPress show that there are more than 28000+ plugins and close to 2000+ Themes. However from a security standpoint we have also seen a painful growing trend of the issues that crop-up with both WordPress core as well as the plugin and theme sections. We have decided to stop being a spectator and contribute to the cause and hence we are doing the following activity which will be part of the final outcome:
Analyze the existing vulnerabilities and new issues being reported on a regular basis.
Identify new issues within the plugin and themes (WordPress core we are targeting as a secondary target), report the issue, get the patch released or get the plugin closed on the WordPress repository. The Research/presentation will also describe methods of automating ways to discover vulnerabilities on the entire 28K list of plugins and 2K Themes.
We will strive to get the issues fixed and then only release the details. However, in case the plugin/theme author is not responding and we can only get the plugin closed then we will go ahead with the disclosure in order to get this issue out in public. The final outcome / presentation will touch base on the vulnerability landscape, common issues and quick fixes for those issues and will also coincide with a comprehensive guideline for developers to protect their own plugin’s. We will be updating all our vulnerabilities on our website (will be disclosed) as and when they are patched.
Similar to [cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All by Jonathan Leitschuh (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
This presentation by Katharine Kemp, Associate Professor at the Faculty of Law & Justice at UNSW Sydney, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Tim Capel, Director of the UK Information Commissioner’s Office Legal Service, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All by Jonathan Leitschuh
1. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Scaling the Security Researcher
to
Eliminate OSS Vulnerabilities
Once and for All
- Jonathan Leitschuh -
2. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Scaling the Security Researcher
to
Eliminate OSS Vulnerabilities
Once and for All
- Jonathan Leitschuh -
- Patrick Way -
3. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Jonathan Leitschuh -
Software Engineer & Security Researcher
Dan Kaminsky Fellowship @ HUMAN Security
GitHub Star & GitHub Security Ambassador
Twitter: @JLLeitschuh
GitHub: JLLeitschuh
🐳
Hello!
4. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Patrick Way -
Senior Software Engineer
OpenRewrite Team @ Moderne
Twitter: @WayPatrick
GitHub: pway99
Hello!
5. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Disclaimer
6. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Supported by
The
Dan Kaminsky Fellowship
at
HUMAN Security
7. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Chester Higgins/The New York Times
8. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Spoilers!
9. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
10. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
152 Pull Requests!
11. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It Started
With a Simple Vulnerability
12. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
// build.gradle
maven {
setUrl("http://dl.bintray.com/kotlin/ktor")
}
13. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Why is HTTPS important?
13
14. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
<!-- Compiler & Test Dependencies -->
<repositories>
<repository>
<id>example-id</id>
<name>Example insecure repository</name>
<url>http://[SOME URL HERE]</url>
</repository>
</repositories>
15. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
<!-- Artifact upload - Credentials!! -->
<distributionManagement>
<repository>
<id>example-id</id>
<name>Example insecure repository</name>
<url>http://[SOME URL HERE]</url>
</repository>
</distributionManagement>
16. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
This Vulnerability was Everywhere!
17. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
18. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Who else was vulnerable?
19. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“25% of Sonatype Maven
Central downloads are still
using HTTP”
- Sonatype June 2019 -
20. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we fix this?
21. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Decommissioning HTTP Support
On or around January 15th, 2020
● Maven Central (Sonatype)
● JCenter (JFrog)
● Spring (Pivotal)
● Gradle Plugin Portal (Gradle)
22. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
23. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
However!
24. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“20% of Sonatype Maven
Central Traffic is STILL using
HTTP”
- Sonatype January 2020 -
25. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
You can imagine what happened...
January 15th, 2020
26. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
27. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We stopped the bleeding
28. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What about the other repositories?
29. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Only the most commonly used repositories
● Maven Central (Sonatype)
● JCenter (JFrog)
● Spring (Pivotal)
● Gradle Plugin Portal (Gradle)
30. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we fix the rest?
31. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation!
32. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How?
33. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
import java
import semmle.code.xml.MavenPom
private class DeclaredRepository extends PomElement {
DeclaredRepository() {
this.getName() = "repository" or
this.getName() = "snapshotRepository" or
this.getName() = "pluginRepository"
}
string getUrl() { result = getAChild("url").(PomElement).getValue() }
predicate isInsecureRepositoryUsage() {
getUrl().matches("http://%") or
getUrl().matches("ftp://%")
}
}
from DeclaredRepository repository
where repository.isInsecureRepositoryUsage()
select repository,
"Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " +
repository.getUrl()
CodeQL
34. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL scans 100Ks of OSS Projects
35. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
import java
import semmle.code.xml.MavenPom
private class DeclaredRepository extends PomElement {
DeclaredRepository() {
this.getName() = "repository" or
this.getName() = "snapshotRepository" or
this.getName() = "pluginRepository"
}
string getUrl() { result = getAChild("url").(PomElement).getValue() }
predicate isInsecureRepositoryUsage() {
getUrl().matches("http://%") or
getUrl().matches("ftp://%")
}
}
from DeclaredRepository repository
where repository.isInsecureRepositoryUsage()
select repository,
"Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " +
repository.getUrl()
CodeQL
$2,300 Bounty
36. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request
Generator
Version 1
● Python Based
● Wrapper over ‘hub’ CLI
● One Nasty Regular
Expression
● Bouncing off GitHub’s
rate limiter
37. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
38. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
39. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
40. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It worked!
41. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
42. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
43. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies
1,596
Pull Requests
~40%
Merged or Accepted
44. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
$4,000
Thanks to the GitHub Security Lab!
45. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
There’s more still out there
46. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
47. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
48. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
More Pull Request Generation
For this in the Future!
49. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I got hooked on
Bulk Pull Request Generation
50. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
51. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I have a Problem
52. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
53. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
54. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
55. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
56. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
I needed automation!
57. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Automated Accurate Transformations
at a
Massive Scale
58. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
OpenRewrite
59. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Abstract Syntax Tree (AST)
60. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Abstract Syntax Tree (AST)
61. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Format Preserving AST
Whitespace and comments are preserved
62. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Tabs
Spaces
Braces on new line
Generated code matches the Surrounding Formatting
63. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
log.info("...");
Is that log4j, slf4j, LogBack?
Accurate Transformations Require
Fully Type-attributed ASTs
64. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
The OpenRewrite AST is both
Syntactically and Semantically aware.
With type attribution and formatting
Syntax alone
65. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Even simple code produces complex AST
66. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Even simple code produces complex AST
67. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
68. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
With the ability to Transform Code
How can we transform source files while
preserving the style?
69. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Open Rewrite
● Automatically Detects the the Code Style
during Parsing
● Provides a Templating Engine to add New
Source Code
● Auto-format applies the detected style
70. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
71. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Transform ASTs using AutoFormat and the JavaTemplate
72. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
String template =
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}"
73. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
String template =
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}"
block = maybeAutoFormat(
block, block.withTemplate(JavaTemplate.builder(this::getCursor, template).build(),
resolvePathStatement.getCoordinates().after(),
zipEntryArg, parentDirArg),
ctx);
74. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
JavaTemplate template = JavaTemplate.builder(this::getCursor,
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}").build();
75. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
JavaTemplate template = JavaTemplate.builder(this::getCursor,
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}").build();
76. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
77. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
78. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
79. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data and Control flow are new additions to
rewrite….
80. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What is possible now?
81. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What other vulnerabilities can we fix?
82. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Three Vulnerabilities
1. Temporary Directory Hijacking
2. Partial Path Traversal
3. Zip Slip
83. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #1
Temporary Directory Hijacking
84. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory on
Unix-Like Systems is
Shared between All Users
85. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
f.mkdir();
86. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
87. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
f.mkdir();
88. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
// 🏁 Race condition
f.mkdir(); // Returns `false`
89. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Imperfect Fix
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
if(!f.mkdir())
throw new IOException("Error");
90. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Fix
// Since Java 1.7
File f =
Files
.createTempDirectory("prefix")
.toFile();
91. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - CVEs
● CVE-2022-27772 - Spring Boot
● CVE-2021-20202 - Keycloak
● CVE-2021-21331 - DataDog API
● CVE-2020-27216 - Eclipse Jetty
● CVE-2020-17521 - Apache Groovy
● CVE-2020-17534 - Apache netbeans-html4j
92. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking
Pull Request Statistics
93. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking
64 Pull Requests!
94. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Pull Requests
95. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Putting it all together
96. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Putting it all together
97. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #2
Partial Path Traversal
98. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
"/user/sam"
Partial Path Traversal
99. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
"/user/sam"
"/user/samantha"
Partial Path Traversal
100. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
Partial Path Traversal
101. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
Partial Path Traversal
102. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
"/user/samantha"
Partial Path Traversal
103. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
"/user/samantha"
Partial Path Traversal
104. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
105. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
106. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
107. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
"/user/sam"
108. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
"/user/sam"
109. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
110. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", userControlled()
);
if (!dir.getCanonicalPath()
.startsWith("/user/sam")) {
...
}
111. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!dir.getCanonicalPath()
.startsWith("/user/sam")) {
...
}
112. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!"/user/samantha/baz"
.startsWith("/user/sam")) {
...
}
113. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!"/user/samantha/baz"
.startsWith("/user/sam")) {
throw new IOException(
"Detected path traversal attack!"
);
}
❌
114. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal
Fix!
115. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
116. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
117. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #1
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath() +
File.separatorChar)) {
...
}
118. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #2
if (!dir.getCanonicalFile()
.toPath().startsWith(
parent.getCanonicalFile().toPath())) {
...
}
119. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #2 - Better
if (!dir.getCanonicalFile()
.toPath().startsWith(
parent.getCanonicalFile().toPath())) {
...
} ✅
120. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we find this vulnerability?
121. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
122. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
123. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
124. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Safe
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath() +
File.separatorChar)) {
...
}
125. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It can’t be that easy, can it?
126. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
127. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
if (!dirCanonical
.startsWith(parent.getCanonicalPath())) {
...
}
128. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath();
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
129. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
130. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We need Data Flow Analysis
131. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - DataFlow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
132. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
133. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
134. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
135. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
String pCanonical2 = pCanonical;
if (!dirCanonical
.startsWith(pCanonical2)) {
...
}
136. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data Flow
Uncovers hard to find Vulnerabilities
and prevents
False Positives
137. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data Flow Analysis
class GetCanonicalPathToStartsWithLocalFlowextends LocalFlowSpec<J.MethodInvocation
, Expression> {
@Override
public boolean isSource(J.MethodInvocation methodInvocation, Cursor cursor) {
return new MethodMatcher(
"java.io.File getCanonicalPath()"
)
.matches(
methodInvocation);
}
@Override
public boolean isSink(Expression expression, Cursor cursor) {
return InvocationMatcher
.
fromMethodMatcher(
new MethodMatcher(
"java.lang.String startsWith(java.lang.String)"
)
)
.advanced()
.isSelect(
cursor);
}
}
138. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Putting it all together
139. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Example Case: AWS Java SDK
CVE-2022-31159
140. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
141. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
142. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability Disclosure Drama!
143. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
144. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
Jonathan: I don’t normally agree to NDA’s. Can I read it first
before potentially agreeing?
145. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
Jonathan: I don’t normally agree to NDA’s. Can I read it first
before potentially agreeing?
AWS: We’re unable to share the bug bounty program NDA since
it and other contract documents are considered sensitive by the
legal team.
146. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
147. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
148. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
149. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #3
Zip Slip
150. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
Path Traversal Vulnerability
while
Unpacking Zip File Entries
151. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
void zipSlip(File destination, ZipFile zip) {
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
}
}
152. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = entries.nextElement();
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
153. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip is Complicated
154. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
155. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
156. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
The Problem
with
Zip Slip
157. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
158. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (f.toPath().startsWith(destination.toPath())) {
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
}
159. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow Analysis
160. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow Analysis
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())){
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
161. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow - OpenRewrite
162. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
163. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(
destination.toPath())) {
throw new IOException("Bad Zip Entry!"
);
}
IOUtils.copy(
zip.getInputStream(
e),
new FileOutputStream(
f)
);
164. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
165. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
166. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
167. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation!
168. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
169. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Problems with Pull Request Generation
170. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How fast can we generate
Pull Requests?
171. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
172. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
173. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
174. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
175. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
176. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
177. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
178. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
File IO Git Operation GitHub API .
179. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
File IO Git Operation GitHub API .
180. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
File IO Git Operation GitHub API .
181. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
File IO Git Operation GitHub API .
182. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
File IO Git Operation GitHub API .
183. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
File IO Git Operation GitHub API .
184. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
185. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
186. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
187. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
188. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Let’s talk about...
GitHub’s API Rate Limiter
189. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“If you're making a large number of POST, PATCH, PUT,
or DELETE requests for a single user or client ID, wait at
least one second between each request.”
190. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“When you have been limited, use the Retry-After
response header to slow down. The value of the
Retry-After header will always be an integer,
representing the number of seconds you should wait
before making requests again.”
191. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Something New Appeared in 2022
192. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
193. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
194. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
195. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
196. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We’ve made it this far
✅ Vulnerabilities Detected
✅ Style Detected
✅ Code Fixed & Diff Generated
✅ Rate Limit Bypassed
197. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We’ve made it this far
✅ Vulnerabilities Detected
✅ Style Detected
✅ Code Fixed & Diff Generated
✅ Rate Limit Bypassed
How do we do this for all the repositories?
198. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Moderne
● Free for Open Source Projects!
● ~7,000 Repositories indexed
● Run Open Rewrite Transformations at Scale
● Generates and Updates Pull Requests
199. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
800+ OpenRewrite Recipes including complete
Framework Migrations
200. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It’s not just your code that needs to be secure
It’s also the dependencies
201. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
800+ OpenRewrite Recipes including complete
Framework Migrations
202. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation - public.moderne.io
203. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
204. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
205. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
But there are more than just 7,000
repositories in the world
How do we find the other vulnerable projects?
206. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL
207. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL
100k+ OSS Projects Indexed
35k+ OSS Java Projects
208. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
https://github.com/moderneinc/jenkins-ingest
209. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
210. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
With the list of vulnerable projects in hand!
211. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Finally!
Let’s generate some
Open Source Software
Pull Requests!
212. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
213. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
214. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
New Pull Requests Generated in 2022: 600+
215. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
Personally Generated: 5,200+ Pull Requests
216. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
217. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
218. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Best Practices for Bulk Pull Request
Generation
219. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Messaging!
220. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
All Software Problems are
People Problems
In Disguise
221. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 1
Sign off all Commits
--signoff
222. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
223. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
Why?!
224. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
“It was introduced in the wake of the SCO lawsuit, (and other accusations of
copyright infringement from SCO, most of which they never actually took to court),
as a Developers Certificate of Origin. It is used to say that you certify that you
have created the patch in question, or that you certify that to the best of your
knowledge, it was created under an appropriate open-source license, or that it has
been provided to you by someone else under those terms.”
- Stack Overflow
225. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
TL;DR
226. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lawyers
227. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
228. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 2
Be a good commitizen
229. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 2
Be a good commitizen
GPG Sign your Commits
230. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
231. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
232. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 3
SECOM
Commit Format
233. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
SECOM
234. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 4
There are risks using your
personal
GitHub Account
235. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Anyone here familiar with
GitHub’s
Angry Unicorn?
236. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
This was my GitHub Profile Page for most of 2020
237. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Remember GitHub’s Rate Limit?
238. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
239. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 5
Coordinate with GitHub
240. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Before Attempting
Reach out to GitHub!
SecurityLab@github.com
241. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 6
Consider the Implications
242. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
243. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Conclusion
244. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
As Security Researchers
245. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We have an obligation to society
246. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We know these vulnerabilities are out there
247. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“For every 500 developers
you have one security
researcher.”
- GitHub 2020
248. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
249. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Dan Kaminsky (1979 – 2021)
“We can fix it. We have the technology. OK. We need
to create the technology. Alright. The policy guys are
mucking with the technology. Relax. WE'RE ON IT.
250. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
● Learn CodeQL! Seriously! It’s an incredibly powerful language!
● Contribute to OpenRewrite! Deploy your security fixes at scale!
● Join the GitHub Security Lab & OpenRewrite Slack Channels!
● Join the Open Source Security Foundation (OSSF)!
251. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Thanks
Lidia Giuliano
Shyam Mehta
252. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
@JLLeitschuh
Jonathan.Leitschuh@gmail.com
253. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
254. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
255. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
256. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
257. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
258. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
259. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
260. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
261. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
262. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
263. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
264. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal