Finding log4shell with CodeQL

Agenda:

* OWASP Updates
* Talk: Rise of captain hindsight: Finding Log4Shell with CodeQL with Alvaro Munoz
* Open discussion

Title: Rise of captain hindsight: Finding Log4Shell with CodeQL

Abstract: In this talk, Alvaro Muñoz of the GitHub Security Lab will use Log4Shell to demonstrate CodeQL, a free and powerful static analysis tool, in action. He will review Log4Shell’s root cause, how it manifests in code and how it could have been discovered using CodeQL.

In CI/CP pipelines, CodeQL is configured to operate in a developer-first mode to reduce false positives to a minimum and return the most accurate results. However for security researchers, CodeQL can also be configured to operate in a less conservative mode which results in more false positives but also less false negatives.

In this process, Alvaro will review root cause, how it manifests in code, and how it could have been discovered using CodeQL.

Bio: Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

The talk will be streamed on YouTube at:
https://youtu.be/GKU1nAAGNKs

Alternatively you can dial in Zoom

* Zoom Meeting: [https://us06web.zoom.us/j/81805515766?pwd=bFVWWXhsY0w2RHZPc00xdkxiaHBDZz09](https://us06web.zoom.us/j/81805515766?pwd=bFVWWXhsY0w2RHZPc00xdkxiaHBDZz09) 
* Meeting ID:[masked]
* Passcode:[masked]