Tweet
Jonathan Leitschuh - Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
Jonathan Leitschuh, OSS Security Researcher - Dan Kaminsky Fellowship @ HUMAN Security, He/Him
Presentation Title: Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
Length of presentation: 45 minutes
Demo
Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!
The scale of GitHub & tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.
SPEAKER BIO:
Jonathan Leitschuh is a Software Engineer and Software Security Researcher. He is the first ever Dan Kaminsky Fellow. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He is amongst the top OSS researchers on GitHub by advisory credit. He’s both a GitHub Star and a GitHub Security Ambassador. In 2019 he championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. In his free time he loves rock climbing, surfing, and sailing his Hobie catamaran.
This work is sponsored by the new Dan Kaminsky Fellowship which celebrates Dan’s memory and legacy by funding OSS work that makes the world a better (and more secure) place.
Twitter: https://twitter.com/JLLeitschuh
LinkedIn: https://www.linkedin.com/in/jonathan-leitschuh-94553661
REFERENCES:
CodeQL documentation. (n.d.). Retrieved April 30, 2022, from https://codeql.github.com/docs/
CVE-2022-23457: GHSL-2022-008 - DefaultValidator.getValidDirectoryPath. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/ESAPI/esapi-java-...8m5h-hrqm-pxm2
Kaminsky, D. (n.d.). Dan Kaminsky - Twitter Profile. Twitter. Retrieved April 30, 2022, from https://twitter.com/dakami
Large-scale automated source code refactoring. OpenRewrite. (n.d.). Retrieved April 30, 2022, from https://docs.openrewrite.org/
Leitschuh, J. (2019, September 11). Want to take over the Java ecosystem? all you need is a MITM! Medium. Retrieved April 30, 2022, from https://infosecwriteups.com/want-to-...m-1fc329d898fb
Leitschuh, J. (n.d.). Jlleitschuh/bulk-security-PR-generator: Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub. GitHub. Retrieved April 30, 2022, from https://github.com/JLLeitschuh/bulk-...y-pr-generator
OpenRewrite/rewrite-java-security: Patch java security vulnerabilities. automatically. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/openrewrite/rewrite-java-security
OpenRewrite/rewrite: Semantic code search and transformation. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/openrewrite/rewrite
Pritchard, S. (2020, June 22). GitHub's Nico Waisman: 'Security is not just an opportunity, but a responsibility for us'. The Daily Swig | Cybersecurity news and views. Retrieved April 30, 2022, from https://portswigger.net/daily-swig/a...ibility-for-us
Veytsman, M. (2014, July 28). HOW TO TAKE OVER THE COMPUTER OF ANY JAVA (OR CLOJURE OR SCALA) DEVELOPER. Max.Computer. Retrieved April 30, 2022, from https://max.computer/blog/how-to-tak...ala-developer/
Woodhead, A. (n.d.). Our first Dan Kaminsky fellow. HUMAN. Retrieved April 30, 2022, from https://www.humansecurity.com/learn/...aminsky-fellow
Zip slip vulnerability. Snyk. (n.d.). Retrieved April 30, 2022, from https://snyk.io/research/zip-slip-vulnerability
Jonathan Leitschuh, OSS Security Researcher - Dan Kaminsky Fellowship @ HUMAN Security, He/Him
Presentation Title: Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
Length of presentation: 45 minutes
Demo
Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!
The scale of GitHub & tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.
SPEAKER BIO:
Jonathan Leitschuh is a Software Engineer and Software Security Researcher. He is the first ever Dan Kaminsky Fellow. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He is amongst the top OSS researchers on GitHub by advisory credit. He’s both a GitHub Star and a GitHub Security Ambassador. In 2019 he championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. In his free time he loves rock climbing, surfing, and sailing his Hobie catamaran.
This work is sponsored by the new Dan Kaminsky Fellowship which celebrates Dan’s memory and legacy by funding OSS work that makes the world a better (and more secure) place.
Twitter: https://twitter.com/JLLeitschuh
LinkedIn: https://www.linkedin.com/in/jonathan-leitschuh-94553661
REFERENCES:
CodeQL documentation. (n.d.). Retrieved April 30, 2022, from https://codeql.github.com/docs/
CVE-2022-23457: GHSL-2022-008 - DefaultValidator.getValidDirectoryPath. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/ESAPI/esapi-java-...8m5h-hrqm-pxm2
Kaminsky, D. (n.d.). Dan Kaminsky - Twitter Profile. Twitter. Retrieved April 30, 2022, from https://twitter.com/dakami
Large-scale automated source code refactoring. OpenRewrite. (n.d.). Retrieved April 30, 2022, from https://docs.openrewrite.org/
Leitschuh, J. (2019, September 11). Want to take over the Java ecosystem? all you need is a MITM! Medium. Retrieved April 30, 2022, from https://infosecwriteups.com/want-to-...m-1fc329d898fb
Leitschuh, J. (n.d.). Jlleitschuh/bulk-security-PR-generator: Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub. GitHub. Retrieved April 30, 2022, from https://github.com/JLLeitschuh/bulk-...y-pr-generator
OpenRewrite/rewrite-java-security: Patch java security vulnerabilities. automatically. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/openrewrite/rewrite-java-security
OpenRewrite/rewrite: Semantic code search and transformation. GitHub. (n.d.). Retrieved April 30, 2022, from https://github.com/openrewrite/rewrite
Pritchard, S. (2020, June 22). GitHub's Nico Waisman: 'Security is not just an opportunity, but a responsibility for us'. The Daily Swig | Cybersecurity news and views. Retrieved April 30, 2022, from https://portswigger.net/daily-swig/a...ibility-for-us
Veytsman, M. (2014, July 28). HOW TO TAKE OVER THE COMPUTER OF ANY JAVA (OR CLOJURE OR SCALA) DEVELOPER. Max.Computer. Retrieved April 30, 2022, from https://max.computer/blog/how-to-tak...ala-developer/
Woodhead, A. (n.d.). Our first Dan Kaminsky fellow. HUMAN. Retrieved April 30, 2022, from https://www.humansecurity.com/learn/...aminsky-fellow
Zip slip vulnerability. Snyk. (n.d.). Retrieved April 30, 2022, from https://snyk.io/research/zip-slip-vulnerability