This month OWASP Boston will be welcoming Jonathan Leitschuh (https://www.linkedin.com/in/jonathan-leitschuh-94553661/) to share his experience fixing OSS vulnerabilities.
Fixing OSS Security Vulnerabilities at Scale with CodeQL!
You know what’s cooler than finding one vulnerability? Finding thousands of vulnerabilities all at once! You know what’s even cooler than that, fixing them all at once!
Through the power of your good code you can find other people's bad code and make the world a safer place. Be the darling of bug bounty managers and the envy of security researchers.
We'll introduce the 3 solutions that powered this massive fix: CodeQL, GitHub's code query language that finds security vulnerability patterns at scale, and OpenRewrite, a style-preserving refactoring tool used at Netflix that makes the changes to these problems you found, and a custom built bot for generating these thousands of pull requests.
This talk will take you on a journey through what it means to be an “Open Source Security Researcher” and how CodeQL + Rewrite are serious game changers from the solutions that existed before.
Jonathan Leitschuh is a Software Engineer and Security Researcher. He was awarded the first-ever [Dan Kaminsky Fellowship](https://www.humansecurity.com/blog/the-dan-kaminsky-fellowship-finding-and-funding-hacker-firefighters). His research focuses on Open Source Software (OSS), build infrastructure, and software supply chain security. He's best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He also championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. To-date he has the most GitHub Security Advisory credits to his name of any OSS contributor on GitHub.
Twitter Handle: @JLLeitschuh