►
Description
Join us for the #Security track at #GitHubConstellation India 2022. Visit githubconstellation.com
------------------------------------------------
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
B
C
B
As
you
all
can
see,
much
like
github,
advanced
security
helps
with
your
security
posture
amol,
and
I
have
put
on
these
detective
hats
in
the
hopes
that
it'll
inspire
today's
security
track.
Why
don't
you
all
share
your
funny
pictures
and
tweet
us
and
use
the
hashtag
github
constellation?
You
could
win
some
github
swag
by
the
way,
a
mole.
How
long
have
you
been
with
security.
C
Yeah,
that's
true.
It
has
been
an
amazing
journey
to
witness
how
application
security
actually
transformed
from
just
being
a
penetration
test
to
a
complete
devsecops
deployment
by
the
way
dhana.
We
have
so
many
cool
sessions
going
on
in
the
devops
and
community
track
right
now.
How
can
the
audience
not
miss
anything.
C
C
Yeah
it
was,
we
also
met
the
co-founder
of
codeql
okay,
what
a
great
personality
and
visionary.
C
D
D
D
D
D
D
It's
a
shame.
It
could
have
been
fixed
in
2016,
but
no,
unfortunately,
despite
the
work
of
the
security
experts,
developers
maintainers
fail
to
act
upon
it
wait.
Is
it
really
the
maintenance
part
I
could
say.
Instead,
security
experts
failed
to
convey
a
compelling
message
to
developers
or
security
experts
failed
to
transform
their
finding
into
a
clear
call
to
action
for
developers.
D
D
D
D
It
worked
when
developers
could
write
themselves
tests
as
code.
Can
you
imagine
now
saying?
Oh
no
testing
is
not
developer's
job
is
someone
else's
job.
Obviously,
no
the
same
thing
happened
with
the
devops
movement
right.
We
empower
developers
to
understand
and
manage
infrastructure
with
frameworks
such
as
infrastructure
as
code.
D
D
D
D
We
also
educate
the
community.
We
write
educational
articles,
we
give
training,
we
give
talks
at
conferences.
The
third
thing
we
do
is
that
we
try
to
scale
the
research
that
we
are
doing
by
performing
variant
analysis.
What
is
it
it's?
It's
a
process
of
finding
other
instances
of
a
given
vulnerability
into
other
places
into
other
code
bases,
and
then
finally,
we
create
the
github
advisory
database.
It's
a
database
of
all
known
vulnerabilities.
D
D
D
We
conducted
a
social
technical
research
among
these
two
communities
and
we
discovered
several
improvement
areas
in
the
way
these
two
communities
interact
during
the
vulnerability
reporting
process.
For
example,
open
source
maintainers,
who
receive
a
security
report,
might
have
an
initial
reaction
of
stress,
especially
when
the
severity
is
is
high.
D
It's
never
fun
being
on
the
receiving
end.
They
say
also
most
open
source
maintainers
have
a
day
job
that
they
may
pose
to
address
the
security
issue
and
protect
their
users.
So
we
are
working
to
make
the
security
community
understand
that
and
we
are
working
to
foster
more
empathy
with
the
maintainers.
D
The
goal
is
that
the
maintainer
receiving
the
report
finds
the
experience
positive.
As
in
this
second
quote
each
slide.
It
will
never
be
fun
right
to
receive
security
report.
It
will
never
be
fun,
but
the
goal
is
that
a
maintainer
receiving
the
report
is
happy
because
it
means
that
their
project
will
soon
be
more
secure.
D
D
D
Our
first
step
is
to
create
a
security
policy.
The
goal
is
to
tell
security
researcher
how
to
report
a
vulnerability
to
you
in
its
simplest
form.
It's
just
a
file
containing
a
private
email
address.
You
might
find
this
first
step
too.
Simple
know
that
finding
this
information
is
the
number
one
struggle
of
security
researchers
when
they
want
to
disclose
the
security
budget.
D
D
D
D
Fortunately,
when
these
vulnerabilities
are
discovered
by
security
researchers,
they
are
recorded
in
the
github
advisory
database,
along
with
information
trust
as
what
are
the
vulnerable
versions.
What
are
the
safe
versions?
What
are
the
versions
where
this
reliability
has
been
fixed?
So
when
you
activate
deponderbot,
if
your
project
depends
on
the
vulnerable
version
of
a
dependency,
dependenbot
will
alert
you
and
tell
you
hey.
You
should
upgrade
to
a
save
to
this
safe
version.
D
D
Let
me
give
you
an
example:
when
the
log
for
shell
advisory
was
published
was
inserted
into
our
github
advisorydb
dependent
button
alerts
and
pull
requests
to
half
a
million
more
than
half
a
million
projects
and
48
percent
of
these
projects
that
were
active,
upgraded
to
a
safe
version
in
less
than
one
week
to
know
more
about
get
observatory,
execute,
advisories,
dependable,
etc.
There
is
a
nice
presentation
later
in
this
track
by
kate,
catlin
and
madison
oliver
about
the
github
advisory
database,
so
don't
miss
it.
D
It
can
run
in
your
pull
request
so
that
it
detects
your
bug
before
even
before
they
reach
to
your
your
main
branch
and
basically,
it
automates
the
community
expertise
into
these
queries
and
make
them
available
to
you
to
run
automatically
on
your
code.
D
D
With
these
three
steps,
we
are
bridging
starting
putting
the
gap
between
security,
researchers
and
developers.
We
are
making
the
work
of
the
security
researchers
translating
into
actionable
solutions
for
the
developers
for
the
maintainers
and
these
steps
work.
If
you
want
to
see
a
real
example
of
that
in
a
real
life
project,
my
colleague,
kevin
bathhouse
will
present
a
case
study
later
today.
In
this
talk,
practical
tips
for
maintainers
to
improve
your
security
portrait,
don't
miss
it,
but
this
is
quite
passive
right.
D
You
just
click
on
the
button
you
automatically
get
more
secure,
but
how
about
being
proactive
for
your
project
security?
After
all,
we
want
to
empower
developers
well
to
do
that.
Obviously,
you
need
to
learn.
You
need
to
learn
to
be
empowered.
The
goal
here
is
not
to
transform
all
developers
into
security
experts,
but
to
teach
them
the
basics:
the
fundamentals
of
security.
D
D
D
Because
it's
code,
you
remember
developers
started
to
to
address
quality
when
they
could
write
tests
themselves
in
code
same
as
opportunity
matters,
they
loved
infrastructure
as
code
here,
it's
the
same.
Copyright
is
code
and
you
have
the
possibility
to
contribute
to
the
queries
by
adding
your
knowledge
of
your
code
of
your
project
into
this
query
right.
It's.
D
D
To
start
your
codeqr
exploration
check
out
the
presentation
from
josef
castro
delus
find
bugs
in
your
code
with
codql
later
today
in
the
security
track,
also
know
that
codeql,
it's
just
a
tool
to
explore
your
code
right.
So,
yes,
you
can
find
security
box,
but
in
fact
you
can
find
any
kind
of
books,
so
try
codeql.
You
will
be
able
to
find
immediate
value
with
it.
D
D
D
D
D
B
C
E
Good
morning,
everyone,
my
name,
is
saurav
patek
and
today
I'm
going
to
speak
on
the
topic
of
community
spotlight
securing
open
source
project
against
you
now.
What
is
the
gesture
register
is
an
open
source,
ecommerce
platform
that
is
built
for
merchants
to
begin
their
e-commerce
journey
effortlessly.
E
E
Now
pegisto
is
not
just
another
ecommerce
platform,
it's
more
like
a
platform
driven
commerce,
a
commerce
which
is
made
for
the
developers
by
the
developers,
but
are
very
simple
uses
by
the
merchants.
So
any
developer
community
or
a
developer.
Who
is
having
a
good
experience
of
working
on
hoops
concept
or
current
operation
on
any
framework
they
can
easily
use
pegasto
to
make
their
own
economist
platform
registered
as
an
offer
is
offering
a
more
of
like
a
post
commerce
solution.
So
it's
not
just
the
commerce
that
you're
getting,
but
a
main
different
use.
E
E
Now
magisto,
like
no
biggest,
is
having
more
than
ten
thousand
plus
live
websites
of
merchants
running
live
on
black
history
and
they
are
more
than
five
thousand
plus
community
members
who
are
who
like
actively
participating
in
big
history.
Now,
when
we
talk
about
ten
thousand
plus
live
merchants
and
the
merchants
having
a
billion
product
skus,
come
security
plays
a
major
level
for
us
in
order
to
continuously
improve
pakistan
and
keep
it
secure
from
depths
for
all
the
vulnerabilities
and
the
scripts
running
and
in
background
now,
in
order
to
follow
a
good
security
pattern.
E
There
are
two
level
one
just
the
one
that
we
implement
at
the
core
level
and
second,
is
the
one
that
we
follow
for
the
community
contribution
level.
So
the
very
first,
the
level
I'm
going
to
discuss
is
the
code
development
process
and
what
security
practice
will
follow.
Now
bankster
is
made
on
lara,
so
we
are
using
the
loadable
authentication
system,
which
is
a
robust
user
authentication
process.
Laravel
users
providers
and
guards
to
facilitate
the
authentication
process
by
gesture
has
strengthened
the
hashing
algorithms
ssj256
used
in
password
management.
E
Digestion
now
supports
argon
21
d13
through
the
php
sodium
extension,
which
requires
the
left,
sodium
library
version
1.4.13
or
higher,
to
prevent
the
brute
force
attacks
to
protect
your
application
from
csrf
attack.
We
are
using
csrs
tokens
in
each
request
to
avoid
external
third
parties
fake
request.
E
So
we
keep
a
check
on
all
the
third
party
dependencies
that
we
use
that
if
they
are
up
to
date,
if
there
is
not
in
security
vulnerability,
and
then
we
make
sure
to
make
use
of
third
party
dependency
in
vegas
too,
a
simple
adventure
wallet
like
a
admin
or
a
packet
makes
it
easy
to
target
attacks
on
specific
location
using
automatic
password
guessing
to
prevent
against
this
type
of
attack.
E
Pegastude
by
default,
creates
a
random
admin
url
when
you
install
the
product,
so
suppose
it's
a
very
common
guessing
that
if
there's
an
e-commerce-
and
if
I
want
to
open
a
back-end,
I
can
just
type
the
url
of
the
e-commerce
store
and
after
slash,
I
can
put
admin
all
like
admin
login.
Now.
That
is
a
very
common
guessing
for
like
for
any
type
of
attacker,
but
with
begins
to.
We
are
not
doing
that.
We
are
randomly
changing
the
url,
so
it's
hard
for
attacker
to
guess
what
to
win
the
property
ui
for
the
ad.
E
It
makes
the
add-in
panel
quite
secure
to
login
pegastore,
no
longer
explicit,
explicitly
sets
file
system
permission.
Instead,
we
recommend
that
certain
files
and
directories
be
writable
in
a
development
environment
and
read
only
in
the
production
environment.
Thank
you
so
safeguard
your
store
from
click
tracking
attacks
by
using
an
extra
option,
http
request,
header.
E
Now,
google
recapture
is
so.
It
provides
a
greater
level
of
security
for
both
the
storefront
and
administrate
that
is
available,
standard,
captcha
to
verify
customer
accounts
and
enhance
security
when
admin
users
log
in
pegasus
also
prevent
cash
reporting.
So
no
one
can
change.
The
cache
contents
to
include
different
pages
from
the
same
site
register
also
secures
cron.php
to
run
in
a
browser
to
prevent
it
from
being
used
in
a
malicious
exploit.
E
I
guess
to
do.
Two-Factor
authentication
improves
security
by
requiring
two-step
authentication
to
access
the
admin
ui
from
all
the
devices.
Once
security
vulnerability
are
discovered
by
the
researcher.
A
proper
reporting
channels
are
often
lagging
in
various
open
source
platforms.
As
a
result,
some
vulnerabilities
are
not
reported
properly.
E
The
purpose
of
having
a
security.txt
file
format
is
to
give
the
security
researchers
the
information
they
need
to
report
the
finding
so
in
the
txt
file
they
mentioned
in
what
format
you
need
to
report
for
the
security
box
to
define
and
that
way
we
get
the
we
get.
The
from
different
different
researchers,
and
also
we
do
have
a
bounty
program
reward
the
reporter
with
some
bounties.
E
So
community
plays
a
very
important
role
in
the
population
of
any
any
open
source
project
the
how
much
open
those
popular
it
depends.
How
many
active
community
members
are
there
and
how
people
are
using
the
project
now
with
vegas
store.
There
are
more
than
5
000
active
community
members
who
are
actively
participating
in
maintaining
the
project
as
well
and
also
like
checking
on
the
vulnerabilities
and
adding
pr's,
and
so
many
things
now
with
community.
E
What
comes
there
are
so
many
pull
requests
and
you
need
to
keep
a
check
on
those
pull
requests
if
those
pull
request
does
not
come
contain
any
malicious
scripts
which
can
hamper
your
open
source
project
so
with
biggest
loop
with
so
many
merchant
sites
running
and
and
with
the
community
participating
in
the
open
source.
In
the
pull
request
for
by
gusto,
we
need
to
also
need
to
keep
a
proper
check
on
those,
so
there
are
few
things
that
we
follow
a
lot.
E
These
pipelines
are
a
practice,
focus
on
improving
the
software
delivery
throughout
the
software
development
life
cycle
via
automation,
and
in
this
way,
whenever
a
new
contributor
creates
a
pull
request,
all
the
test
cases
are
done
automatically,
and
this
is
thanks
to
get
your
workflow
a
fantastic
tool.
It
has
really
pulled
out
a
lot
of
stress
from
our
maintainers
who
keep
a
check
on
the
pr.
So
it's
not
like.
We
need
to
check
all
the
pairs
line
by
line
for
each
and
every
code.
E
We
have
all
those
tests,
cricket
test
cases
prepared
for
unit
and
functional
testing,
and
those
tests
will
make
sure
that
all
the
pr
pass
through
all
the
tests,
all
the
test
cases
and
once
they
have
passed,
then
only
that
pr
comes
to
a
maintainer
for
checking
the
field.
Business
logic
and
the
functional
testing
on
avenue
pill
request
our
maintainers
regularly
reviews
all
the
codes
for
the
functionality
checks,
vulnerability,
checks,
as
well
as
the
code
priority.
Also
at
last.
E
Even
we
have
enabled
security
policies,
security,
advisories
and
depend
upon
others
which
tell
us
about
the
latest
vulnerability
and
fixes
as
well.
And
this
way
we
make
sure
that
we
at
least
don't
have
any
knowledge
in
our
dependencies
as
well.
So
these
are
some
of
the
best
practices
that
we
have
followed
in
the
core
code
development
process
and
also
in
the
community
contribution.
E
While,
following
all
these
process,
we
make
sure
that
background
remains
secured
for
its
merchants
who
are
using
and
for
the
merchants
about
to
come
to
use
baghisto
and,
since
the
biggest
biggest,
to
follow
all
those
security
practices
that
makes
the
e-commerce
very
much
secure
to
use
and
also
our
promise
and
trust
the
merchandise
have
on
us
to
keep
delivering
a
good
economist
platform.
So
that's
all
from
my
side.
Thank
you
all
for
your
time.
C
B
A
Hello,
my
name
is
grant
birkenbein
and
I
will
be
your
host
today,
going
into
back
to
the
security
basics
using
github.com,
welcome
to
github
constellation
india,
and
I
hope
that,
through
these
talks,
you
guys
will
have
better
understanding
of
how
to
secure
your
developer,
workflows
using
github.com.
A
So
a
little
bit
about
me,
the
name
that
I
go
by
on
github
is
grant
berkey.
You
can
find
me
hanging
out
a
few
open
source
repositories
or
working
on
the
github
platform
and
other
areas,
I'm
a
security
engineer
who
will
be
guiding
you
today,
along
the
journey
of
using
best
practices
at
github
and
with
the
various
services
that
you
can
interact
with
on
github.com,
for
example,
actions
going
through
your
own
account
settings
using
ssh
keys,
gpg,
keys,
all
sorts
of
things,
so
a
few
fun
facts
about
me
outside
of
tech.
A
All
right,
so
some
topics
covered
today
are
going
to
be
why
you
should
focus
on
security
when
using
github.com,
who
does
this
apply
to
and
how
we
can
follow
security
best
practices
when
we're
using
some
of
the
services
that
github
offers.
So
let's
get
started
so
first
off.
Why
should
you
focus
on
security
when
using
github?
A
Well,
this
applies
to
a
couple
of
different
areas
depending
on
who
you
are
and
what
you're
using
github
for
so,
for
example,
if
you're
an
open
source
developer
reasons
why
security
might
be
important
to
you
is
to
protect
your
community
and
promote
safety
and
trust.
So
if
you're,
an
open
source
developer,
creating
a
new
ruby
or
javascript
package,
it's
important
that
the
people
using
your
packages
support
and
are
confident
that
the
package
that
they're
using
is
going
to
be
safe.
A
It's
important
to
protect
your
data
in
your
github
account,
just
like
you
would
do
with
any
other
account
online,
so
whether
it's
a
social
media
account
or
a
website
you
know
to
log
into
for
studying
with
school,
or
anything
like
that.
Just
like
you
protect
your
data
and
information
there
or,
for
example,
with
banking
you'd
want
to
do
the
same
and
protect
your
github
account
online
as
well.
A
All
right
who
does
this
apply
to
well.
This
applies
to
everyone.
So,
whether
you're,
a
software
engineer,
data
scientist,
mobile
app
developer
contributor
to
an
open
source
project,
auditor,
researchers,
students,
anyone
and
everyone,
there
is
no
exclusions
for
who
should
follow
security,
best
practices.
Everyone
should
all
right,
let's
begin
so
I'm
going
to
get
into
some
of
the
top
ways
that
you
can
secure
your
experience
on
the
github
platform.
A
A
So
a
fun
fact
is
that
an
ibm
study
published
in
2021
found
that
82
of
workers
today
reuse
their
credentials
in
some
manner.
That's
not
exactly
a
fun
statistic:
working
in
security.
You
don't
want
to
see
that.
So
we
want
to
try
to
do
everything
we
can
to
prevent
password
misuse,
especially
on
github,
where
you
could
be
developing
software,
that's
important
to
you
and
your
community.
A
And
if
that
password
works
on
github.com-
and
you
don't
have
two-factor
authentication
enabled
which
we'll
get
into
in
a
moment
that
password
will
just
work
and
we'll
log
into
your
github
account.
We
don't
want
that.
So
don't
reuse!
Your
passwords
number
one
number
two
is
never
share
your
password
with
anyone.
Github
is
never
going
to
email.
You
asking
for
what
your
password
is.
If
you
see
any
emails
like
that,
it's
likely
a
phishing
attack.
So
definitely
don't
follow
up
with
that.
Don't
send
your
password
to
them
and
don't
share
your
password
with
anyone
else.
A
Step
number
three
is
going
to
be
use
a
complex
password,
so
use
a
password.
That's
comprised
of
alphanumeric
characters,
numbers
symbols
and
make
sure
it's
long
right,
so
you
can
don't
be
using
like
a
five
six
character,
password
use
a
longer
password
and
that
can
really
be
accomplished
quite
easily
by
using
a
password
manager,
password
managers
if
you're
not
familiar
they're
a
tool
or
application
that
you
use
sometimes
they're
based
on
your
web
browser.
A
So,
for
example,
google
chrome
has
a
built-in
password
manager
tool,
there's
also
extensions
and
plugins
that
you
can
use
some
free
some
paid
for
that
can
help.
You
manage
that
as
well.
So
you
log
into
your
password
manager
with
one
complex
password,
which
you
remember
and
then
from
there.
You
can
generate
random
and
unique
passwords
for
each
website
that
you
log
into
throughout
your
day
throughout
your
day,
so
that
that's
a
great
tool
to
use
as
password
managers
and
there's.
A
That
I
recommend
here
so
there's
keepass,
there's
keepassxc,
which
is
a
fork
of
keepass
and
it's
open
source
and
free.
You
can
use
it
on
linux,
mac
windows,
wherever
you
want
and
there's
some
other
options
as
well.
One
password
lastpass
bit
warden
I've
linked
at
the
bottom
keepassxc,
just
because
it's
an
open
source
option
and
you
can
get
started
with
that
today
for
free
there's.
A
As
you're
using
a
password
manager
you're
going
to
be
a
lot
better
off
than
with
that
one
all
right
so
number
two,
the
next
thing
you
want
to
do.
If,
once
you
have
a
strong
complex
password,
is
you
want
to
make
sure
you're
using
two-factor
authentication,
so
two-factor
authentication
protects
you
from
phishing
attacks,
credential,
stuffing
attacks
and
the
sorts
it
helps
protect
you,
because,
in
addition
to
entering
your
username
and
password,
you
also
have
to
take
a
second
step
to
log
into
your
account
that
can
be
an
authenticator
app.
A
As
you
can
see
on
my
screen
here.
This
is
actually
what
I
have
configured
for
my
github
account
and
I
would
suggest
users
to
follow
the
same.
You
can
set
up
a
authentication,
app,
add
security,
keys
to
your
account
or
you
can
even
authenticate
with
github
mobile.
So
once
you
enter
that
username
and
password,
it's
going
to
prompt
you
for
a
two-factor
authentication.
A
So
it's
going
to
prove
that
you
right
now
in
the
present,
are
trying
to
log
into
your
account
and
it's
not
an
attacker
located
in
some
distant
land,
trying
to
log
into
your
account
and
then
fun
fact.
Here
a
2fa
is
a
simple
action
you
can
take
to
prevent
99.9
of
your
tax
on
your
account
according
to
a
senior
product
manager
over
at
the
microsoft
security
team.
A
This
is
not
something
you
want
to
do,
but
it
is
something
that
we
have
most
likely
all
done
before.
I
would
actually
consider
this
a
rite
of
passage
in
software
development.
You
might
not
be
a
true
software
developer
unless
you've
committed
credentials
at
some
point
in
time.
That's
a
joke,
of
course,
but
yes,
we've
all
done
it.
Many
times
before
to
date,
github
has
detected
more
than
700
000
secrets
across
private
repositories
through
github
advanced
security
scanning.
A
So
if
you're,
an
open
source
developer,
you're,
probably
familiar
with
a
git,
ignore
file,
the
git
ignore
file
is
a
file
that
you
add
into
your
repository
and
it
excludes
files
from
being
committed
to
github,
so
get
will
not
track
those
files.
So
if
you
have
a
file
called
secrets.txt
in
your
git
ignore
file
and
in
your
repo,
it
will
never
track
that
file
and
prevent
you
from
committing
it
in
the
first
place.
So
that's
a
good
first
step
to
preventing
this
from
happening.
A
However,
you
could
add
your
secret
someplace
else.
Maybe
have
it
hard
coded
in
instead
of
using
an
environment
variable
in
one
of
your
source
files,
and
that
could
be
committed
so
to
prevent
that
you
can
use
an
open
source
tool
called
git
secrets
made
by
aws
labs,
which
creates
a
post
commit
hook.
So
after
you
do
a
commit,
it's
going
to
scam
and
see,
if
you
have
any
secrets
in
that
commit
it's
going
to
alert
you
before
you
push
that
secret
to
a
private
or
a
public
repository.
A
So
it's
a
great
way
to
kind
of
prevent
that
from
happening,
github
actually
suggests
using
the
github
desktop
app
personally,
I'm
very
integrated
with
the
command
line.
So
I
don't
use
it
all
that
much,
but
it
can
help
new
developers
and
students
to
use
a
desktop,
app
or
even
visual
studio
code
for
checking
what
you're
going
to
commit,
because
you
can
see
kind
of
in
a
visual
display
what's
being
committed
and
kind
of
help.
A
So
if
github
detects,
for
example,
aws
access
key
and
secret
key
has
been
committed
to
a
public
repo,
we're
going
to
reach
out
to
aws
and
try
to
revoke
that
credential
as
quick
as
we
can
so
aws
will
get
a
notification
saying
if
your
credentials
been
committed,
they're
going
to
go
ahead
and
try
to
revoke
that
credential
for
you
and
the
goal
there
is
to
try
to
get
rid
of
it
before
bad
actor
can
use
it.
A
We
have
a
ton
of
different
partner
organizations
that
we
do
this
with,
and
the
full
example
can
be
found
on
our
documentation
page
for
enterprise
developers.
We
have
a
couple
of
different
options
and
one
of
them
that's
pretty
cool,
is
github
advanced
security,
push
protection
and
what
that
actually
does
is
it
will
prevent
you
from
pushing
a
commit
if
github
detects
a
secret
denim,
and
we
do
that
by
some
different
pattern
recognition.
A
So
if
we
detect
a
aws
access
token
being
pushed
to
a
github
repo
will
reject
that
commit.
Now
you
can
always
go
in
and
approve
it
and
let
it
be
pushed
for
example,
if
you're
trying
to
test
something
or
test
a
credential
being
revoked.
You
can
do
that,
but
it's
nice
to
have
that
extra
layer
of
comfort,
especially
for
enterprise
organizations.
A
Okay,
here's
a
quick
demo
of
seeing
how
push
protection
works.
So
here
we
see
a
user
has
intentionally
committed
a
secret
and
they're
going
to
push
that
change
onto
the
repository
and
once
they
see
that
come
through,
we
see
right
away.
Push
protection
is
going
to
notice
that
a
token
was
committed
and
the
user
is
actually
going
to
go
ahead
and
click
through
and
allow
it
to
happen
as
an
exception.
A
A
All
right
number
four
is
going
to
be
security
related
to
your
personal
access
tokens.
So
if
you're
not
familiar
personal
access,
token
allows
you
to
interact
with
different
services
in
github,
for
example
the
api
and
so
for
example,
if
you
wanted
to
test
out
a
script
locally,
where
you're
going
to
label
a
pull
request
as
a
bug,
you
would
create
a
personal
access
token
to
do
that.
So
here
you
see
on
the
left,
I'm
creating
a
personal
access
token
for
a
deployment
status,
bot
and
a
couple
of
things
you
can
do
to
protect.
A
A
A
A
A
A
All
right,
gpg,
keys,
number
six
gpg
keys,
are
a
little
bit
more
of
a
complex
topic.
I'm
not
going
to
go
into
how
they
work
under
the
hood.
You
see
here
at
the
top
magic
math
and
cryptography
at
a
very
high
level.
It
uses
private
public
key
cryptography
to
sign
in
encrypt
messages.
A
That
might
be
a
little
bit
overwhelming
just
of
the
concept.
So
if
it's
interesting
to
you,
I
suggest
you
explore
it
outside
of
this
talk,
but
I'll
just
give
you
the
core
pieces
of
what
you
need
to
know
for
gpg
keys
here.
So
here
we
can
add
a
new
one.
You
see
on
the
far
left.
You
can
add
a
new
gpg
key
to
your
account
and
then
once
you
do,
when
you
make
a
commit
using
that
gpg
key
using
git
locally
you'll
have
a
little
verified
badge
that
pops
up
and
what
that
doing.
A
What's
what
that
is
doing
is
it
is
signing
your
commits
to
cryptographically
prove
that
you
are
the
one
that
pushed
that
commit,
so
you're
not
being
impersonated
by
someone
else.
This
is
you
who
made
that
commit,
and
no
one
else
made
it.
So
you
can
add
a
key
to
your
account.
You
can
use
that
to
sign
your
commits
and
then
an
optional
bonus
option.
Is
you
can
enable
vigilant
mode
so
any
command
that
is
not
signed?
It's
going
to
be
flagged
as
unverified.
A
It's
really
helpful
if
you're
like
maintaining
a
package
that
other
people
are
using
to
have
signed,
commits
because
people
are
really
going
to
want
to
know
a
strong
chain
of
ownership
of
who's
making
commits
and
when
and
make
sure
that
you
know
there
isn't
any
sort
of
supply
chain
attacks
going
on
in
your
commit
history.
So
that's
a
bonus
if
you're
a
dependency
or
a
package
maintainer,
you
should
be
using
gpg.
Keys
number
seven
is
going
to
be
reviewing
your
security
log,
so
this
has
come
up
in
recent
topics.
A
Checking
your
security
log
and
doing
so
regularly
is
a
really
good
option,
especially
if
you
notice
anything
suspicious
with
your
account.
So
you
can
get
to
your
security
log
by
going
under
your
settings
page
and
then
going
down
to
the
archive
section
you
see
in
the
far
left.
A
You
can
also
view
your
sponsorship
log,
but
we're
sticking
to
security
here.
So
it's
a
bonus.
Looking
at
the
security
log,
you
can
go
in
and
you
can
filter
on
different
options.
You
can
see
here.
I'm
filtering
underneath
all
actions
that
contain
alterations
to
repository
access
and
on
a
certain
date.
So
let's
say
I
was
a
little
bit
suspicious
why
one
of
my
repos
suddenly
became
public.
Maybe
I
didn't
want
that
to
happen.
A
A
So
that's
what
you
can
do
with
the
security
log
to
review
some
of
your
security
access
and
making
sure
with
filters
and
drilling
down
that
the
actions
being
taken
on
your
account
are
actually
you
and
you
trust
them
all
right.
Number
eight
is
going
to
be
code
security.
This
is
also
a
little
bit
more
of
an
event
of
an
advanced
topic
and
it
will
be
talked
by
other
presenters
throughout
this
presentation.
A
So
I'll
try
to
keep
it
simple
here,
so
the
top
things
you
can
do
to
protect
some
of
your
repositories
in
your
get
of
account
through
code
security
would
be
by
enabling
some
of
these
options
you
see
on
the
left.
So
we
see
I've
enabled
the
dependency
graph,
dependable
alerts
and
dependable
security
updates,
we'll
go
into
more
about
dependable
later
in
other
talks.
So
for
now
all
you
need
to
know
is
you
can
enable
these
features
for
all
of
your
repositories.
Right
in
your
settings.
Page
and
dependibot
is
great.
A
A
So
for
action,
security,
there's
a
couple
of
just
easy
check
boxes
you
can
enable
to
harden
and
protect
your
workflows
and
some
lots
of
people
don't
know
about
these
options
and
they're
really
helpful
to
kind
of
lock
down,
especially
your
public
repos,
to
make
sure
they're
safer.
So
number.
H
A
Is
you
can
specify
where
your
actions
and
workflows
can
be
used
from
and
who
authors
them?
So
here
I
have
set,
allow
all
actions
and
reusable
workflows.
If
I
wanted
to
really
lock
down
my
actions
workflows,
I
could
disable
actions
and
I
wouldn't
even
be
able
to
run
them
or
below
it's
kind
of
hidden.
You
can
select
only
certain
repos
or
owners
to
allow
actions
to
be
used
from.
So
that's
very
helpful.
A
A
If
you
don't
necessarily
trust
every
single
person
in
your
community,
you
can
lock
it
down
to
require
approvals
for
either
first-time
contributors
and
then
some
subsequent
workflows
will
run
automatically
or
you
can
require
an
approval
for
every
single
outside
collaborator.
You
can
also
lock
down
your
workflow
permissions,
so
you
can
say
all
right.
I
only
want
my
actions
that
are
running
on
my
repo
to
have
read.
A
And
number
10
the
last
way
and
arguably
most
important
way
to
secure
your
experience
on
github
is
just
using
brain
power
and
common
sense.
If
you
see
something
say
something:
follow
security,
best
practices,
audit,
all
the
third-party
tools
and
integrations
and
packages
that
you're
using
in
your
repos
and
stay
informed
with
security
notices.
There's
a
ton
of
great
tools
out
there.
You
know,
there's
the
github
blog,
which
posts
security,
notices,
there's
hacker
news
which
you
can
follow
about
different
cbe
alerts
and
for
me
here
in
the
united
states.
A
There's
some
great
government-run
subscriptions
that
I
can
get
notifications
from
if
there's
any
sort
of
security
alerts
or
really
big
vulnerabilities
that
come
up
on
in
the
news,
for
example.
So
something
that
our
cso
likes
to
say
here
is
we're
all
part
of
the
security
team
here
at
github
and
really
everyone
at
github
users.
The
employees
here,
everyone
alike,
we're
all
part
of
the
security
team.
We
should
all
adopt
a
security
mindset
to
protect
ourselves
and
your
contributors
to
our
different
projects.
A
B
C
Yeah,
it's
because
push
protection
is
more
proactive
in
blocking
secrets,
rather
than
waiting
for
a
scanning
tool
to
find
them
later
on.
B
B
I
Thank
you
for
joining
us
this
week,
I'm
here
to
kick
off
our
third
annual
event
in
india,
github
constellation.
We
have
so
many
great
sessions
for
you
and
I
hope
you
enjoy
them.
Open
source
has
one
if
you
are
an
open
source
maintainer,
you
are
working
on
some
of
the
most
exciting
stuff
developers
from
around
the
world
are
working
and
collaborating
together
on
open
source.
I
Two.
The
inter-connected
community
is
a
powerful
one,
open
source
education
and
enterprises.
We
are
all
in
it
together.
We
are
building
the
future
of
software
and
our
mission
is
to
accelerate
human
progress
through
developer
collaboration
and
three.
We
are
committed
to
india.
We
are
committed
to
growing
github
in
india
to
hiring
in
india
to
supporting
indian
developers,
maintainers
and
students,
by
giving
back
through
programs
to
github
sponsors,
accelerate
the
open
source,
bootcamps
and
externships.
I
J
A
J
The
third
hundred
billion
dollars
is
going
to
come
in
three
to
four
years.
I
do
believe
all
of
you
can
play
a
huge
role
in
building
a
bigger
community,
open
source
developers
in
playing
a
larger
role
in
global,
open
source
products
and
launching
india's
own
open
source
products
that
can
be
taken
globally
and
therefore
make
a
huge
difference
to
the
transformation
of
india.
B
L
M
N
L
N
Know
because
you
know
they
studied
about
abc
decent
school,
they
said
no,
no,
I'm
talking
about
a
means.
Artificial
intelligence
b
means
blockchain
c
means
cyber
security
means
data,
analytics
and
intelligence.
E
means.
Electronic
f
means
faster
coding.
You
know,
in
his
words,
may
be
faster
coding,
it
is
low
code,
you
know,
approach
and
g
is
github,
you
know
so
this
is
where
we
see
the
github
is
very,
very
important
for
our
national
education
policy.
K
H
It's
one
of
the
examples
is
the
integration
of
github
advanced
security,
which
we
have
recently
undertaken,
second
and
most
importantly,
strain
and
sensitize
the
developers
and
equip
them
to
be
able
to
address
the
issues
before
the
code
is
checked
and,
finally,
and
most
importantly,
is
to
have
the
process
and
guidelines
very
clearly
defined.
If.
O
There's
a
completely
closed
source
option
and
there
is
an
open
source
option.
I
tend
to
gravitate
towards
the
open
source,
because
you
know
if
you
hit
some
feature
limit
or
something
like
that,
you
can
continue
to
extend
at
a
core
and
contribute
back
and
so
with
roy.
We
are
building
like
a
no
code
platform
that
basically
allows
you
to
get
started
like
a
no
code,
but
then
you
can
continue
to
extend
at
a
core
level
anytime.
O
You
need,
and
our
experience
with
you
know,
seeing
how
developers
are
extending
it
in
different
scenarios
has
been
really
interesting,
various
kind
of
use
cases,
and
that
has
been
a
really
good
learning
experience
for
us.
I
think.
C
B
Oh
so
rohit
shirkey
is
tweeting
at
us
and
he
says
amazing
intro
by
nandan
about
how
india
is
leading
its
way
in
software
market
and
the
contribution
of
oss
and
the
huge
success
stories
of
platforms
like
upi.
Oh
absolutely,
nandan
shared
such
amazing
stories.
It
was
really
really
inspiring.
C
Wow,
so
the
next
tweet
comes
to
us
from
el
targo.
It
gives
me
goosebumps
to
watch
this.
Such
inspiration
github
constellation
thanks
eltargo.
I
I
completely
agree
with
you.
You
know
the
team
has
put
on
a
good
effort
and
you
know
use
I'm
sure.
You
really
took
back
some
good
good
stuff
from
the
event
yesterday
or
today.
B
Q
C
Niti
devang,
so
what
nidhi
says
is
attending
github
constellation
on
importance
of
security
in
open
source
at
the
rate,
github
security
lab
learned,
create
a
security
policy,
activate
dependable,
activate
code,
sql,
secure
coding,
training
code
sequel.
I
think
that's,
that's
basically
amazing.
I
think
she
continues
intending
you
know.
That's
basically,
you
know.
I
completely
agree
with
you
nidhi.
You
know
that's
what
we
wanted
to
communicate
to
our
viewers
today
that,
what's
you
know
in
it
for
you
when
you
look
at
devsecops,
so
I
think
that
was
an
amazing
tweet.
B
B
B
Here's
another
one:
I
won't
torture,
you
with
too
many
one
last
one.
Why
doesn't
superman
fight
cyber
security
because
he's
afraid
of
cryptocurrency
so
do.
B
B
Well,
sorry,
amul,
hey
viewers,
we
would
love
for
you
to
join
us
in
the
fun.
Do
you
have
any
funny
tweets
related
to
security,
tweet
us
and
let
us
know,
please
use
the
github
constellation
coming
up.
Next.
Are
our
wonderful
colleagues,
kate
and
madison,
with
the
session
on
helping
secure
your
open
source
over
to
you,
kate
and
madison,.
R
S
Hi
everyone,
my
name,
is
kate
catlin.
I
am
a
senior
product
manager
with
the
github
security
advisory
database
team.
So
we
do
all
of
the
engineering
product
work
to
transform
those
advisories.
That
madison's
team
has
worked
so
hard
on
into
a
beautiful
ui
experience
and
let's
go
ahead
and
get
into
the
slides.
S
S
And
the
first
thing
we're
going
to
talk
about
is
what
is
a
repository,
github
security
advisory
and
I'm
calling
out
the
word
repository
here,
because
next
up
later
down,
the
line
madison
is
going
to
talk
about
global
security,
advisories
and
those
are
a
little
bit
different.
So
starting
with
those
repository
advisories,
this
is
a
feature
that
allows
package
owners
to
privately
discuss
and
create
a
fix
for
a
potential
security
vulnerability
in
the
project
that
they
own.
S
So
let's
say
that
you
are
a
maintainer
of
an
open
source
package
and
a
security
researcher
has
reached
out
to
you
to
say
hey.
I
think
I
found
a
vulnerability
in
your
code.
What
do
you
do
from
there?
Well,
you
can
handle
all
of
that
right
here
from
github,
so
navigate
to
your
repository
and
then
you're
gonna
select
the
security
tab
on
the
top
bar
menu.
S
First
is
that
you
can
request
a
cbe
number
directly
through
this
madison
is
going
to
talk
about
cves
a
bit
more
later,
but
high
level.
This
is
a
globally
recognized,
unique
identifier
for
your
advisory.
So
if
you
put
this
out
into
the
world,
and
people
want
to
talk
about
it
who
you've
never
met
before
they
know
exactly
what
number
to
include
next
up.
I
want
to
chat
about
the
fact
that
when
you
open
this
github
draft
security
advisory,
it
also
opens
a
private
fork.
S
So
you
and
your
fellow
maintainers
can
collaborate
on
a
fix
to
this
security
vulnerability
and
make
sure
that
it
truly
does
patch
the
problem
before
you
release
that
so
you're
collaborating
on
a
solution.
You're
fixing
the
problem,
you're
writing
up
the
advisory
together,
and
this
is
all
happening
behind
the
scenes,
because
it's
important
in
instances
like
these
that
a
bad
actor
who
would
potentially
exploit
the
security
vulnerability
if
they
knew
about
it,
does
not
know
about
it
until
you're
ready.
S
So
when
you
hit
publish
this
is
what
you're
going
to
see
next?
Is
this
beautifully
formatted
security
advisory
published
right
here
in
your
repository,
and
this
is
positive
for
two
reasons:
number
one
is
that
it
lets
your
users
know
that
they
might
need
to
upgrade
to
your
latest
version
in
order
to
avoid
this
security
vulnerability.
S
The
second
reason
that
it's
good
is
that
this
is
something
people
look
for
when
they're,
considering
whether
or
not
to
use
your
package.
What
is
your
security
posture?
Are
you
taking
security
seriously?
Have
you
put
out
security
advisories
before
indicating
that
you're
listening
to
security
researchers
who
are
servicing
problems
to
you
so
overall,
a
very
positive
experience
for
your
users
to
have
this
display
and
next
up,
I
will
pass
it
over
to
madison
to
tell
us
more
about
global
github
security,
advisories.
R
R
Global
github
security
advisories
are
chosen
for
inclusion
by
curators
there's
an
actual
team
of
human
beings.
Reviewing
these
advisories
and
ensuring
that
the
information
is
correct
and
accurate
and
including
it
within
our
database
because
it
exists
within
the
advisory
database.
It
will
also
generate
automatic
alerts
that
are
useful
for
users
of
your
project
and
advisories
and
alerts
are
machine
readable,
which
is
extremely
useful
down.
The
line.
R
R
R
R
In
addition
to
this,
the
curation
team
creates
machine,
readable
data
advisories.
We
map
packages
and
versions
to
a
unique
identifier,
a
cve
and
a
unique
binary
object
within
the
package
repository.
So
we
can
ensure
that
the
package
the
advisory
is
about
is,
in
fact,
the
package
that
you
or
your
users
are
actually
using.
R
R
R
R
They
are
often
missing
package
data,
vulnerable
version
ranges
a
number
of
other
key
vulnerability
details
and
they
do
not
generate
automatic
alerts
within
the
github
system.
Reviewed
advisories,
however,
contain
data
that
is
verified
by
github.
Our
curation
team
reviews,
everything
for
validity
for
accuracy
for
completeness
of
information.
R
We
also
map
to
package
data
to
specific
binary
objects
within
the
package
registries,
and
we
do
generate
alerts
so
reviewed
advisories
in
the
database
will
generate
dependable
alerts,
which
will
let
your
users
know
that
there
is
a
vulnerability.
It
will
point
them
to
the
latest,
update
and
recommend
that
they
fix
it.
R
R
R
The
github
security
advisory
database
powers
a
number
of
different
tooling,
including
internal
vulnerability
management
here
at
github.
We
use
this
product
ourselves
because
we
truly
believe
in
it.
This
database
also
powers
dependable
alerts
which
are
alerts
on
any
dependent
or
added,
updated
or
even
removed
from
your
project.
R
The
advisory
database
also
powers
npm
audit,
which
is
the
node.js
application
security
editing
system
for
the
npm
ecosystem.
So
anytime,
you
run
npm
audit
and
get
feedback
that
there
are
vulnerabilities
within
your
system
of
that
data
is
powered
by
this
advisory
database.
There
are
a
number
of
other
use
cases
for
the
advisory
database.
There
are
specific
ecosystems
that
we
support
that
contain
vulnerability
data
that
can
be
found.
Nowhere
else.
R
R
There
are
a
number
of
ways
that
you
can
contribute
to
the
github
security
advisory
database.
We've
recently
released
a
feature
that
we
are
calling
community
contributions
where
we
are
accepting
feedback
on
specific
advisories
from
all
github
users.
If
you
are
reviewing
a
security
advisory
and
you
notice
missing,
pertinent
vulnerability,
details,
impact
details
or
anything
else
that
you
might
find
useful.
You
are
able
to
submit
that
information
directly
to
our
curation
team
for
review.
R
If
you
are
operating
outside
of
github
and
are
a
researcher
or
a
maintainer,
you
can
obtain
a
cve
from
any
one
of
the
many
cve
naming
authorities.
If
a
cve
is
assigned
to
an
issue,
it
again
comes
to
our
curation
team
for
review.
If
it
is
within
one
of
our
supported
ecosystems
or
within
the
scope
of
the
database,
we
can
review
it
and
there's
a
very
high
likelihood
that
we
can
then
include
that
information.
B
C
Yes,
in
fact,
very
recently,
we
worked
with
one
of
our
enterprise
clients
to
help
resolve
the
log
4j
vulnerability
by
the
way,
dhana
looks
like
our
audiences,
who
were
on
with
us
since
morning,
could
use
this
short
break.
What
do
you
think.
C
Okay,
everyone
see
you
back
after
15
minutes,
don't
miss
the
amazing
sessions
and
workshop
we
have
lined
up
for
you
see
you.
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
G
B
C
I
think
there
are
some
tweets
coming
in
do
do
we.
Can
we
see
some
tweets.
B
B
C
C
Github
security
features
and
also
a
lot
about
security
vulnerabilities
was
so
interesting
thanks,
goddess
white,
a
I'm
sure,
and
I'm
happy
that
you
took
something
from
the
sessions
that
we
did
today
and
I'm
sure
you
would
learn
a
lot
more
because
there's
so
many
more
sessions
going
to
be
coming
in.
So
you
know,
keep
engaged
then
over
to
you.
B
B
C
Q
Hello
and
welcome
to
this
presentation
from
the
github
security
lab.
My
name
is
joseph
and
I've
had
my
dream
job
here
at
github
for
the
past
seven
months
now
I
say
this
because
I'm
very
passionate
about
our
mission,
which
is
to
inspire
and
enable
the
community
to
secure
the
open
source
software
we
all
depend
on.
Q
Well,
this
is
not
science
fiction
or
a
netflix
scenario.
10
years
ago,
when
nasa's
curiosity
was
landing.
On
the
surface
of
mars,
nasa
engineers
performed
a
code
review
with
flight.
They
wanted
to
check
the
software
responsible
for
opening
the
parachute
of
the
curiosity
rover
during
landing
on
the
surface
of
mars,
and
that
was
when
they
found
the
bag.
The
snippet
on
the
slide
that
is
written
in
c,
is
not
the
actual
code,
but
the
fair
description
of
what
was
really
happening.
Q
This
means
that
the
loop
in
lines,
2
and
3
would
read
the
correct
memory
coordinates
just
for
the
first
three
elements,
but
then
it
will
go
out
of
bounds
leading
to
random
behavior.
The
nasa
team
found
out
that
this
case
will
prevent
the
parachute
opening
during
the
landing
phase
and
lead
to
a
crash
of
the
curiosity
rover.
Q
Q
What
we
call
a
variant
is
another
occurrence
of
the
same
bug
pattern
at
another
place
in
the
code
and
they
found
30
other
variants.
They
analyzed
that
some
of
those
would
also
result
in
catastrophic
consequences
such
as
the
crash
of
the
rover.
They
fixed
all
of
the
variants
and
curiosity
was
able
to
land
safely
on
the
surface
of
mars.
Q
This
time
they
shifted
security
left
by
by
integrating
codeql
at
the
very
beginning
of
their
software
development
lifecycle
by
using
github
in
two
clicks,
you
can
enable
code
scanning
with
code
12
and
get
alerted
about
security
vulnerabilities
in
your
code
code.
Ql
is
free
for
open
source
and
you
can
benefit
from
the
q
from
the
continuously
growing
query
set
contributed
by
github
by
the
community
and
by
top
expert
security
teams
like
the
one
of
nasa.
Q
Q
One
of
the
main
levers
of
devops
adoption
was
the
introduction
of
infrastructure
as
code
where
developers
use
code
for
setting
up
their
own
infra
without
the
need
to
open
tickets
to
operations
teams
the
fact
that
developers,
where
writing
code
empowered
them
with
further
benefits
such
as
reading
contributing
and
understanding
what
they
were
doing,
some
for
same
for
the
world
of
testing
in
the
pre-agile
days,
developers
and
testers
belong
to
two
separate
teams.
Qa
will
find
the
box
and
report
them
back
to
depths
nowadays.
Q
Q
The
budget
of
the
software
on
the
meme
will
be
similar
to
this.
The
text
in
purple
represents
the
user.
Input
which
is
being
processed
and
sanitized
same
will
happen,
though,
if
the
input
will
be
processed
with
sanitization
but
incorrect
sanitization.
So
the
idea
here
is
that
there
is
not
correct
sanitization
in
place.
Q
Just
before
the
demo.
Let's
define
two
important
concepts
for
our
data
flow
query
that
is
going
to
be
part
of
the
demo
sources
and
syncs
sources
are
places
in
the
program
that
receive
untrusted
user
input.
For
example,
a
field
in
a
web
form
syncs
are
places
in
the
program
where
something
malicious
can
happen
if
the
malicious
input
reaches
these
places.
Q
In
our
example,
the
sync
is
a
place
where
the
sql
query
is
executed.
So
it's
important
for
someone
to
understand
that
some
ruler
abilities
cannot
be
really
executed.
Think
about
some
issues-
input
like
here
in
the
source
where
malicious
input
is
getting
in
the
program,
but
it's
never
really
executed.
So
the
sync
is
never
actioned
in
here
we
are
looking
for
the
data
flow
between
the
source
and
the
sync.
So
the
question
we
need
to
ask
is
a
data
flow
one.
Q
Q
notice
that
code12
allows
users
to
query
code
in
general,
not
necessarily
for
vulnerabilities.
You
can
use
it
for
any
type
of
box
or
just
explore
your
code.
We
try
to
make
these
queries
generic
to
find
variants
of
vulnerabilities
and
the
biggest
benefit
you
get
is
that
you
will
now
be
able
to
codify
your
knowledge
of
a
whole
pattern
about
the
vulnerability
in
an
expressive
query:
language,
culture,
language
is
declarative
and
logical.
Declarative
means
that
you
or
we
describe
what
to
find
not
how
to
find
it.
Q
However,
as
a
total
beginner
myself
a
few
weeks
ago,
the
feature
I
found
the
most
useful
to
get
started
with
was
the
existence
of
a
rich
set
of
standard
libraries.
That
would
make
my
life
much
easier,
because
there
will
be
reusable
logic
in
the
form
of
templates
for
me
to
use-
and
this
made
me
really
really
productive.
Q
For
example,
the
templates
that
I'm
gonna
use
today
in
the
demo
is
the
one
of
data
flow,
and
you
are
gonna,
see
what
I
mean
with
templates.
It's
gonna
be
full
of
codetrail
and
us
having
the
chance
to
place
some
placeholders
and
the
magic
is
gonna
happen
still
away.
Q
Our
demo
is
designed
for
total
beginners
and,
while
our
examples
are
in
java,
you
don't
need
extensive
experience
with
java,
either.
As
what
I'm
going
to
show.
You
will
be
transferable
to
other
languages
that
are
supported
by
code.
12
such
as
javascript
python
go
rust,
cc,
plus,
plus
and
c
sharp
it's
demo
time
now
and
here's
our
demo.
Let's
first
check
our
vulnerable
code
base,
which
is
the
intentionally
vulnerable
code
base
from
the
wasp,
a
wasp
security
effort.
We
have
a
sql
injection
vulnerability
in
a
mobile
app.
Q
Q
Q
Q
If
you're
familiar
with
sql,
let
me
just
delete
this.
So
if
you're
familiar
with
sql
the
structure
of
code,
12
may
look
familiar,
we
have
the
import
clause
at
the
top
that
allows
us
to
use
logic
defined
in
other
libraries.
In
this
example
the
java's
standard
library,
then
we
have
the
query
clause
that
describes
what
we
are
trying
to
find.
Q
Q
Q
So
if
I
read
this
query
out
in
plain
english,
it
will
be
from
all
the
methods
being
invoked
in
the
program
here.
Give
me
all
those
methods.
So
if
I
run
this,
I
expect
code12
to
give
me
back
every
single
method
being
invoked
in
the
program.
So
you
see
loads
of
methods
here
are
being
run.
If
I
click
on
one
like
parse
boolean,
we
can
see
where
it's
being
run
clicking
on
other
methods
on
all
those
methods
that
are
actually
being
invoked
in
the
program.
Q
Q
So,
let's
use
the
where
clause
here
and
now,
I'm
gonna
use
the
call
variable
again
and
I'm
gonna
post
some
restrictions
in
it.
Look
how
making
use
of
the
auto
completion
when
I
press
the
dot
and
how
the
dog
is
gonna.
Help
me
when
I
hover
over
the
functions,
so
I'm
gonna
use
the
get
method
method
which
is
going
to
give
me
access
to
all
of
these
methods
individually.
Q
But
I
need
something
more
now.
I
need
to
call
specific
methods
individually
and
to
do
that.
I'm
gonna
use
the
has
qualified
name
which,
as
you
see
from
the
autocompletion,
it's
expecting
a
string
package,
a
string
type
and
a
string
name,
and
you
can
see
from
the
help
we
got
here
that
it
holds
if
the
member
has
a
specified
name
and
is
declared
in
the
specified
package
and
type.
Q
So
what
this
query
is
asked
in
code
ql
is,
while
initially
before,
adding
the
where
we
started
from
all
the
methods
of
the
program.
We
now
want
to
arrive
at
only
those
methods
that
are
the
ones
being
named
as
get
text.
You
can't
see
that
from
here,
so
get
text
is
the
method
that
enables
you
to
have
user
input.
So
if
I
run
this
very,
I
expect
to
come
up
with
those
invocations
of
get
text.
In
fact,
we
have
three
of
them,
let's
see
if
all
of
them
are
vulnerable
or
not.
Q
And
I
want
you
by
the
way,
to
notice
the
way
I
used
chaining
here,
with
the
dots
like
get
method
has
qualified
name.
This
is
another
feature
that
coachell
brings
on
top
of
sql,
which
is
expressivity
with
chaining.
We
can
see
from
the
signal
chart
of
the
has
qualified
name
that
is
expecting
a
package
name,
etc,
etc.
Q
So
you
know
that
by
chaining
you
get
access
to
very
specific
stuff
that
are
gonna,
make
your
code
very
useful
to
arrive
to
security
vulnerabilities.
It's
time
now
to
find
things
to
find
things.
We
can
use
the
same
strategy
with
the
difference
being
that
we
are
looking
for
a
different
method
in
a
different
package.
Name,
as
we
saw
our
query,
we
saw
it
here
line
147.
Q
Yeah,
as
we
saw
raw
query,
takes
two
arguments,
two
parameters
from
which
the
first
one
here
is
the
sync.
So,
let's
further
refine
our
query
by
only
asking
for
the
first
argument
to
be
returned,
the
first
argument,
because
it's
going
to
be
our
sync-
we
can
do
this
by
using
the
type
expression
so
now
I'm
introducing
another
variable
in
order
to
get
access
to
the
first
argument
of
the
raw
query
method.
It's
not
enough
for
us
to
come
up
with
our
query.
Q
Q
Let's
now
see
the
real
power
of
code2l,
so
we
defined
our
sources
and
sinks.
Let's
now
move
to
the
data
flow
functionality
of
codequal,
which
is
what
is
going
to
provide
us
with
confirmed,
sql
findings.
Luckily,
the
language
comes
with
a
rich
set
of
standard
libraries
that
have
ready-made
templates.
As
I
told
you,
we
need
to
just
fill
on
top
of
the
file.
We
have
some
metadata
that
will
help
codetrail
understand
what
we
are
trying
to
do.
Please
ignore
them
for
now
we're
very
important.
Q
The
attain
tracking
library,
which
is
a
template,
configuration
to
track
untrusted
user
input,
followed
by
the
data
flow
path,
graph
library,
which
is
all
about
the
visualization
of
the
results.
At
the
end,
we
are
defining
a
class
here
at
9
11,
which
extends
the
10
tracking
configuration
again.
This
is
to
help
us
out
as
the
10
charging
configuration
is
a
boiler
plate.
Q
Q
predates
provide
a
way
to
encapsulate
portions
of
logic
to
in
a
program
so
that
they
can
be
reused,
think
about
them
like
methods
and
functions.
Otherwise
I
had
to
retype
the
code
every
single
time,
instead
of
just
using
the
method
what's
important,
is
how
we
are
going
to
define
the
is
source
spread
gate
and
the
is
sync
pred
gate.
Q
We
just
have
to
override
them
using
the
code
that
we
have
already
written
from
before
the
one
we
wrote
in
here
and
in
here,
just
before
filling
in
the
predicates.
Let's
briefly
talk
about
this
idea
of
data
flow
being
represented
by
a
graph
with
nodes,
so
that,
when
there's
flow
from
one
node
to
another
node,
then
you
know
that
there's
flow
between
sources
and
sinks,
and
you
know
you
have
a
vulnerability,
because
untrusted
user
input
managed
to
arrive
at
the
sync
and
actually
being
executed
being
actioned.
Q
Otherwise,
it
will
be
untrusted
user
input
that
is
never
being
exploited
in
a
code
base,
so
think
about
the
notes,
the
one
node
being
the
is
source
and
the
other
node
being
there
is
sync
so
line.
14
is
our
node
1
the
source
node
and
line
18
is
the
arrival
node,
the
sim
node.
So
this
exercise-
and
this
code
here
is
all
about
finding
confirmed
data
flow
from
sources
to
things.
If
there
is
any,
then
we
have
confirmed
sql
findings.
Q
We
can
now
fill
the
predates
by
using
the
exists.
Keyword
is
a
new
keyword.
Well,
I
want
to
draw
use
with
you
because
it
makes
the
the
code
very
readable,
so
it
can
read
like
it
can
read
like
there
exists
a
method,
call
such
that
when
this
method
call
is
being
accessed
like
they
get
text
one.
You
have
confirmed
user
input
being
unsanitized
in
the
database.
Q
We
can
just
copy
the
code
we
used
from
before
put
it
here
and,
as
I
tell
you
about
nodes,
we
need
to
express
this
source
node
to
become
the
get
text
method
at
the
top.
So
the
way
that
these
reads
is
there
exists
a
method
called
such
that
when
this
method
call
is
being
the
get
text
method,
we
have
in
the
source,
node
untrusted
user
input
entering
our
code
base
and
we
can
now
fill
the
isync
method
using
the
same
idea
again
using
like
the
autofill.
Here
there
exists
a
method
access.
Q
Before
such
that
note
as
expression,
we
call
that
so
the
way
that
the
thing
reads
is
that
there
exists
a
method
access
when
this
method
access
is
the
raw
query.
Then
the
first
parameter
is
the
sync
node.
Q
Q
Q
So
if
you
see
on
the
left,
you
see
that
the
username,
through
the
gettext
method
is
the
hackers
entrance
is
then
going
to
the
login
method,
where
the
username
as
check
name
variable,
is
being
checked
to
see
if
it's
actually
a
login
that
exists
in
our
authentication
database,
and
then
we
can
see
the
login
signature,
the
function
login
and
finally,
you
have
that
this
query,
where
the
untrusted
username
is
actually
being
used,
is
being
passed
into
the
database
using
the
raw
query
method.
Q
Where
query
is
actually
the
first
parameter
and
is
the
sync
so
here's
one
pathway
from
gettext,
which
is
the
entry
of
our
program
into
the
sync,
with
a
confirmed
sql,
finding
there's
another
pathway,
though,
which
starts
with
the
same
way
being
the
username.
But
here
look
at
line
102
and
compare
it
with
line
117.
Q
Q
You
have
invalid
credentials
being
passed.
However,
the
sql
injection
vulnerability
still
occurs
because
you
have
the
same
pathway
even
if
the
credentials
are
incorrect,
like,
for
example,
an
incorrect
username
or
incorrect
password
is
still
being
checked
against
the
logging
method,
which
is
again
being
checked
against
the
raw
query
method.
Therefore,
you
still
have
an
sql
injection
finding,
and
here
we
have
another
sql
injection
variability,
let's
say
facilitated
by
two
paths.
Q
Q
So
you
see
how
a
variable
starts
and
how
a
variable
ends
and
our
tag
is
being
executed.
You
can't
tell
me
here
you
can
argue
a
bit
with
me
that
yeah
man
come
on.
This
is
just
like
a
command
file,
etc
in
a
very
small
database,
with
two
appearances
of
sql
injection
and
two
pathways
each
time,
but
sometimes
the
path
from
a
user
input
to
the
real
sql
execution
can
be
very
long
with
more
than
10
steps
across
several
files.
Q
Q
If
this
is
true,
then
you
have
a
confirmed.
Sj
injection
finding
code
can
be
complex.
We
know
this
because
we
are
doing
cutting-edge
and
state-of-the-art
research
and
by
making
our
code
12
queries
very
generic.
We
are
able
to
secure
the
open
source
software
that
we
all
depend
on,
and
this
is
our
demo
for
today.
Q
B
Wow,
that's
some
great
stuff.
Thank
you!
So
much
for
sharing,
hey
mamol,
I
loved
hearing
about
how
nasa's
curiosity
used
code
ql
to
scan
their
software
around
10
years
back,
and
this
was
done
mid
flight.
Isn't
that
just
amazing.
C
T
Hello
and
welcome
to
this
session,
this
is
neet,
help
writing
secure
code
or
wasp
has
got
you
covered.
T
This
is
a
session
about
how
you
can
be
in
an
open
source,
maintainer
of
a
small
or
medium
project,
how
you
can
write
more
secure
code
and
leverage
these
oasp
resources,
and
for
that
we
will
introduce
different
owasp
projects
and
what
os
is
in
a
minute.
So
my
name
is
alvaro
munov,
I'm
a
principal
security
researcher
with
the
github
security
lab,
I'm
known
as
pontester
in
different
world
in
github
and
social
media
as
twitter.
T
If
you
have
any
questions
about
the
present
the
presentation,
these
oasp
resources
or
projects,
you
can
always
reach
me
in
twitter
through
this
handle.
T
So,
as
I
said,
I
want
to
focus
this
presentation
on
helping
the
developers
and
maintainers
of
small
and
medium
open
source
projects,
because
if
you
are
well
writing
code
for
a
big
or
large
organization,
you
will
probably
have
a
security
organization,
security
team
that
is
helping
you
writing
this
secure
code
right.
You
will
probably
have
security,
trainings
or
security
awareness.
T
You
will
have
things
like
static
analysis
or
maybe
dynamic
analysis
included
in
your
ci
cd
pipelines
and
overall
you
have
the
help
of
us
of
a
team
of
experts
in
in
this
area
that
will
help
you
write
more
secure
code,
even
in
some
cases,
through
manual
code
review
and
things
like
that.
However,
if
you
are
the
developer
of
a
small
or
medium
open
source
project,
then
this
is
normally
not
the
case.
T
But
probably
none
of
you
are
really
security,
researchers
or
security
engineers
or
are
not
experts
in
in
the
different
subjects
around
security
and
application
security.
So
how
can
you
write
more
secure
code?
If
you
don't
know
about
all
these
attack
techniques?
Attack
research
attack
vectors
that
you
know
malicious
guys.
Bad
actors
are
using.
T
So,
first
of
all,
you
don't
need
to
to
be
familiar
with
that,
because
that
is
not
feasible
and
it's
not
even
fair
to
ask
you
to
become
an
expert,
a
security
expert,
but
there
are
a
number
of
things
that
you
can
do
in
order
to
help
secure
and
improve
the
security
posture
of
your
open
source
project
even
or
without
having
to
be.
T
You
know
a
matter
expert
for
sick
application
security,
and
this
is
what
we
are
going
to
introduce
you
today
and
help
you
using
these
resources
to
even
you
know,
without
being
a
security
expert
without
having
to
know
all
the
different
details
about
these
attacks,
improve
the
security
of
your
applications.
T
You
know
this
puzzle
of
different
components
and
all
this
modern
digital
infrastructure
is
being
hauled
by
a
small
project
that
is
maintained
by
a
single
guy,
maybe
in
nebraska
that,
like
they
say,
they're,
probably
somewhere
else
around
the
globe-
and
this
is
really.
This
is
not
a
joke
anymore.
This
is
this
is
really
the
truth.
T
We
have
seen
that
with
open
ssh
backs
with,
for
example,
log4j
vulnerability
last
christmas,
where
all
java
applications,
or
most
of
them
were
vulnerable
to
remote
code
execution
because
they
were
using
log4j
and
they
were
passing
untrusted
data
into
the
log4j
library
right.
So
this
is
this
has
become
critical.
The
security
of
this
open
source
projects
that
we
are
all
developing
is
now
the
security
of
this
modern
digital
infrastructure,
and
we
need
help
to
improve
the
security
posture
of
these
open
source
projects,
and
for
that
we
have
to
use
every
single
resource.
T
So,
if
you're
not
familiar
with
oasp,
I
invite
you
to
visit
the
owasp.org
website
and
you
will
learn
a
lot
about
the
organization
itself
and
the
different
projects
that
they
maintain.
Owasp
stands
from
open
web
application
security
project
and
they
have
many
projects.
As
I
said
today,
I
want
to
focus
on
four
of
them
right.
T
If
you
know
anything
about,
owasp
is
probably
around
the
top
10
risks
or
the
top
10
web
application.
Security
risks,
which
is
probably
the
most
the
most
popular
owasp
project,
actually
is
one
of
the
flagship
projects
of
the
oasp
organization.
However,
the
os
top
10
project
focus
on
telling
you
what
are
the
different
risks.
So
what
not
to
do
and
doesn't
really
help
you
in
telling
you
you
know
what
to
do,
what
how
to
write
more
secure
code,
how
to
prevent
those
risks
from
being
introduced
into
your
application.
T
So,
unfortunately,
owasp
changed
the
focus
in
the
last
years
and
have
developed
a
number
of
projects
that
are
now
focused
on
how
to
do
things
in
a
more
defensive
way.
So,
instead
of
focusing
on
the
offensive
perspective
is
focusing
now
on
the
defensive
side
of
things.
So
now
we
have
other
projects
that
we
will
introduce
today
as
the
cheat
sheets
or
the
os
top
10,
proactive
controls
or
the
application
security
verification
standards
that
we
will
see
in
a
minute.
T
So,
first
of
all,
I
wanted
to
talk
about
the
os
top
ten.
As
I
said,
it's
the
probably
the
the
most
famous
or
the
most
popular
one
is
the
os
flagship
project
and
the
purpose
of
the
os
top
10
was
you.
You
know
basically
to
raise
the
the
battle
a
little
right.
So
the
problem
is
that
a
lot
of
people
was
using
the
os
top
10
as
a
gospel.
Instead
of
you
know
us
trying
to
improve
or
helping
them
improve
the
security
posture
of
their
applications.
T
So
you
can
see
here
that
this
is
the
top
10
risk
of
modern
software.
As
for
2021,
they
change
and
they
update
this
top
10
every
few
years
and
actually,
a
few
years
ago,
the
number
one
and
since
the
creation
of
the
iowa's
top
10,
was
the
injection
category
so
think
about
cross-site
scripting.
Think
about
sql
injection
command
injection
jndi
injection.
That
was,
for
example,
the
vulnerability
for
log4j.
T
So
that
was
the
number
one
vulnerability
for
many
years
now,
and
we
now
see
that
it's
number
three,
which
means
that
we
are
kind
of
improving
in
those
areas
that
are
more
risky
or
that
are
more
important
for
application,
security
and
now
other
categories
that
were
lower
in
this
top
10
list
are
now
becoming
more
important
again.
This
is
a
list
of
things
that
can
go
wrong
like
broken
access,
control
or
how
insecure
design
etc.
T
It
doesn't
really
tell
you
how
to
protect
against
injection
vulnerabilities,
how
to
implement
a
strong
access
control,
how
to
implement
a
strong
cryptographic,
properties,
etc.
So,
even
though
this
is
a
very
good
project,
it's
more
focused
on
awareness,
and
you
know
it's
important
to
be
familiar
with
this
list
to
know
what
kind
of
vulnerabilities
are
out
there
right,
but
it
may
not
even
apply
to
your
application
or
to
library,
so,
let's
focus
on
other
projects
and
one
of
the
ones.
T
One
of
the
projects
that
I
really
like
is
the
owasp
cheat
sheet
project,
which
is
focused
on
providing
good
security
practices
right.
So,
rather
than
focusing
on
the
offensive
side,
you
will
find
how
to
securely
implement
different
security,
sensitive
features
such
as
authentication
authorization
or
file
upload,
for
example.
T
In
some
cases
you
will
find
very
specific
guide
guidance
like,
for
example,
a
cheat
sheet
that
may
be
for
a
specific
language
or
framework.
In
some
other
cases,
it
will
be
more
generic
like,
for
example,
that
example
that
I
mentioned
around
how
to
implement
file
upload
in
a
strong
way
in
a
secure
way.
T
Even
though
we
haven't
really
introduced
the
application,
security
verification
standard
project
or
the
os
top
10
proactive
control
project,
all
of
these
cheat
sheets
are
actually
mapped
to
these
other
projects
that
we
will
see
later
and,
as
you
can
see
here,
we
have
more
than
78
cheat
sheets
that
are
very
useful,
very
specific,
very,
very
detailed
on
on
how
to
implement
things
securely
right
from
a
developer
point
of
view.
T
So,
let's
see
an
example,
for
example,
we
have
this
file
upload
cheat
sheet,
and
this
is
just
the
introduction.
You
can
see
the
table
of
contents
at
the
right
and
you
can
see
that,
apart
from
the
introduction,
these
cheat
sheets
will
cover
file,
upload
threads
file,
upload
protection
and
a
lot
of
other
things,
like
validation
of
the
content,
type
file
signature.
But
already
in
the
introduction,
you
will
see
a
summary
of
what
can
can
go
wrong
with
the
implementation
of
file
upload
and
how
to
do
that
securely.
T
So,
apart
from
data
file
upload,
as
you
can
see,
we
have
77
more
chipsets,
as
you
can
see,
and
as
I
mentioned
before,
we
have
some
of
them
that
are
very
specific,
like
for
example,
maybe
the
hijack
security
and
others
may
be
more
generic,
like.
T
So
the
next
project
that
I
wanted
to
to
show
you
is
the
os
top
10
proactive
controls,
and
this
one
differs
from
from
the
os
top
10
in
that
these
are
very.
These
are
really
actions
that
developers
can
take
into
their
software
right
into
their
code
to
help
them
prevent
the
common
vulnerabilities
that
were
mentioned
in
the
oas,
top
10
risk.
So
one
side
will
have
the
os
top
10
risk,
which
is
telling
you
what
not
to
do-
and
here
is
telling
you
what
you
should
do
things
like.
T
You
should
define
security
requirements
for
your
application
and
you
should
leverage
or
use
security
framework
and
library
instead
of
rolling
your
own.
You
should
this
is
how
you
should
implement
a
secure
access
to
a
database,
and
this
includes
many
things
in
addition
to
sql
injections.
So
it
includes
things
like
how
to
properly
configure
the
drivers,
the
connection,
how
to
encrypt
data
at
rest
in
the
database
etc,
how
to
validate
the
data,
how
to
encode
it
for
for
escaping
it
for
different
contexts,
etc.
T
So
we
will
see
that
defined
security
requirements
is
the
first
one
and
actually
is
very
important
right,
and
this
is
where
the
application
security
verification
standard
comes
into
play.
This
is
another
obas
project
is
really
one
of
my
favorite
ones.
It's
very
detailed,
it's
very
useful,
so
it
was
born
as
a
way
of
verifying
when
a
company
was
hiring
a
penetration
tester
to
perform.
T
You
know
a
penetration
test
around
their
applications,
they
didn't
know
or
how
could
they
know
that
what
the
tester
was
testing
was
actually
what
they
should
be
testing
for
right.
So
there
was
a
miscommunication
between
or
a
gap
between,
the
company
that
didn't
know
about
security
and
the
tester
that
was
testing
whatever
they
thought
it
was
required
to
be
tested.
T
So,
with
this
application
security
verification
standard,
what
we
get
is
a
list
of
things
that,
for
example,
penetration
tester
should
test
for
so
in
this
way
we
are
kind
of
normalizing
the
penetration
test,
so
that
both
the
penetration
tester
and
the
company
that
is
hiring
these.
These
services
can
make
sure
that
the
application
is
properly
tested.
So
that
is
that
was
like
the
original
idea,
the
original
purpose
of
this
application.
T
However,
it
has
growth
a
lot
in
the
last
years,
and
now
you
can
think
about
it
as
well
as
a
blueprint
for
creating
the
security
requirements
for
your
applications
right
so
think
about
it
as
okay,
I'm
a
developer
and
not
a
security
expert.
I
know
that
I
need
to
define
some
security
requirements
before
starting
to
write
my
my
code,
but
if
I
don't
know
about
those
attacks
about
those
vulnerabilities
that
my
application
may
be
vulnerable
to,
how
am
I,
how
am
I
going
to
write
the
security
requirements
right?
T
So
asvs
project
will
help
you
with
that,
will
help
you
identifying
what
should
be
the
security
requirements
for
your
applications.
So
asvs
is
divided
in
three
different
compliance
levels
so
level.
One
is
very,
is
basically
for
low
assurance
levels
and
is
completely
a
complete
penetration.
T
Testable
so
means
that
you
can
automate
the
whole
verification
of
those
requirements
in
an
automatic
fashion,
and
therefore
you
can
include
that
automatic
test
in
your
cicd
pipeline,
for
example.
So
level
two
is
for
application
that
contains
sensitive
data,
which
requires
protection
and
is
the
recommend
a
recommended
level,
for
you
know
for
all
or
most
applications
and
level.
Three
is
like
a
top
tire,
basically
for
really
critical
applications
that
performs
a
very
sensitive
transaction.
T
So,
in
addition
to
these
three
level,
three
levels
of
compliance,
we
have
14
different
domains
right,
so
we
have,
for
example,
a
domain
around
architecture,
design
and
threat,
modeling
requirements
about
authentication
about
session
management,
about
input,
validation,
sanitization
and
encoding,
which
is
very
important
about
cryptography,
etc.
Right,
as
you
can
see
in
this
slide
for
level
one
well,
you
don't,
you
may
not
care
about
security
requirements
around
the
architecture,
design
and
threat
modeling,
but
you
have
a
number
of
requirements
for
authentication
if
you
are
using
that.
T
So,
first
of
all,
you
need
to
know
what
your
application
is
doing
or
is
is
gonna
do
and
then
pick
what
domains
are
going
to
apply
to
your
application.
So
maybe
your
application
is
is
not
doing
any
kind
of
authentication
or
authorization
or
session
management,
and
you
can
just
strike
out
those
domains
so
for
the
domains
that
you
think
your
applications
should
or
apply
to
your
application.
T
Then
you
will
have
a
number
of
requirements
that
you
can
add
to
your
application,
depending
on
the
compliance
level.
So,
let's
see
an
example,
for
example,
for
the
domain
number
13,
which
is
around
the
api
security
and
13.2,
is
around
specifically
specifically
restful
web
services.
Right
there
is
another
one
for
soap.
There
is
another
one
for
different
types
of
of
apis,
and
here
are
the
six
requirements
that
are
defined
for
the
domain
13
and
requirement.
The
second
requirement-
and,
as
you
can
see
here,
we
have
things
like
you
know,
verifying
that
enabled
restful.
T
T
So
this
is
a
requirement
for
your
application
that
you
need
to
make
sure
that
is
implemented
correctly,
and
this
is
a
requirement
that
is
applied
to
the
three
levels
so
level,
one
level
two
and
level
three,
but,
as
you
can
see,
requirement
number
five
verifying
that
rest
services
explicitly
checked
incoming
content
type
is
something
that
may
not
be
required
for
level
one,
but
it's
required
for
level
three
and
level
two
and
level
three,
and
you
can
also
see
what
is
the
cwe,
which
is
the
common
weaknesses
enumeration,
which
is
the
vulnerability
category
that
this
requirement
is
mapped
to.
T
So
with
that,
that's
all
the
time
we
have
today
and
there
is
a
plenty
of
information
in
the
oas
side.
I
really
encourage
you
to
visit
theoasp.org,
learn
more
about
the
project.
There
are
plenty
more
projects
that
they
may
be
very
useful
for
you,
so
just
learn
about
them,
use
them
and
help
us
secure
the
open
source
software.
Thank
you
very
much.
B
By
the
way
to
all
of
the
viewers
watching
us
right
now,
please
go
to
getupconstellation.com
and
enter
our
capture
the
flag
contest.
Of
course,
please
keep
engaging
with
us
on
discussions
for
github
constellation
and
also
tweet
us
with
the
hashtag
github
constellation
amol.
What
other
frameworks
would
you
recommend
asking.
B
B
C
Dhara,
as
per
multiple
studies
by
organizations
like
gartner,
verizon
and
other
research
bodies,
more
than
65
percent
of
successful
breaches
today
actually
target
the
application
layer.
So
it's
one
of
the
most
it's
one
of
the
inherent
vulnerabilities
in
the
code
that
is
compromised
to
get
access
to
the
systems.
C
C
C
Now,
let
me
ask
you
one
question
so,
since
I
know
you've
been
reading
up
on
a
lot
of
important
security
research,
do
you
know
all
the
percentage
of
increase
in
the
number
of
security
attacks
from
2019
to
21.
B
That's
a
good
question:
if
I
remember
correctly,
security
attacks
went
up
by
over
270
percent
during
the
last
two
years.
Is
that
right.
C
Yeah
you're
bang
on,
and
you
know
why
one
of
the
major
reasons
is
digital
transformation,
as
majority
of
the
businesses
are
going
online
today
with
map
and
mobile
applications.
Okay,
here
comes
another
one
for
you.
We
all
know
that
use
of
open
source
in
today's
enterprise
software
is
going
up
significantly,
but
how
much
percent
is
it
roughly.
B
C
Wow
good
job
dhara,
I
must
say:
okay,
the
use
of
open
source
is
the
right
way,
but
it
also
brings
with
itself
this
the
risk
of
security
vulnerabilities
and
license
compliance.
So
enterprises
need
to
monitor
this.
B
C
B
C
Yeah,
that's
that's
a
good
one!
So
if
a
vulnerability
is
identified
and
remediated
during
development
phase
itself,
the
cost
of
fixing,
it
would
be
100
times
cheaper
than
doing
the
same
during
the
test
or
the
production
phase,
because
you
have
to
redo
the
entire
application.
If
a
vulnerability
is
found
very
late
in
the
development
life
cycle.
C
B
C
C
B
C
C
Oh,
that's
my
that's
my
favorite
question
and
I'm
sure
I
I
talked
to
customers
and
answer
that
every
day
in
day
out
so
github
advanced
security
actually
can
help
organizations
in
overcoming
these
challenges.
So
what
we
do
is
we
help
them
shift
left
and
also
provide
developers
with
a
single
pane
of
glass
view
to
address
vulnerabilities
from
all
the
different
tools
that
they
use
today.
C
Thus
improving,
developer
productivity,
also
because
advanced
security
is
a
tool
which
is
very
native
to
github
enterprise,
it's
already
integrated
with
overall
github
ecosystem
and
relieves
organizations
of
the
pain
that
they
encounter
generally
during
third
party
integrations
and
the
entire
process
of
scanning,
and
remediation
is
automated.
So
in
fact
we
are
currently
working
on
features
that
would
provide
developers
with
remediation
steps
to
which
today
is
a
major
challenge
for
developers.
C
B
C
F
So
this
talk
is
actually
really
just
a
condensed
version
of
a
blog
post
series.
A
four
four
four
post
series
of
blogs
that
I
wrote
last
year
about
a
project
called
exif
two,
so
what's
x,
of
two
x
of
two
is
a
command
line:
application
written
in
c
plus,
plus
it's
an
open
source
project
and
what
it
what
it
enables
you
to
do
is
read,
modify,
delete,
etc,
the
metadata
on
image
files.
F
F
So
how
did
I
get
involved
with
this
open
source
soft,
this
open
source
project?
So
a
few
years
ago,
a
couple
of
my
colleagues
were:
writing
some
training,
slides
or
training
documents
for
coquel
and
they
decided
to
use
exif
2
as
an
as
the
example
for
the
training
that
they
were
doing.
F
F
So
I
went
to
the
project
page
on
github
and
unfortunately
I
couldn't
find
any
contact
details
for
the
maintainers
of
the
project
and
what
I
also
saw
was
that
other
people
had
been
finding
similar
issues
to
what
I'd
found
in
exif
2
and
had
been
reporting
them
by
just
creating
public
issues
on
the
exif
2
project
github
page.
F
F
So
I
created
this
issue
on
on
the
the
project
page
and
a
few
others
in
quick
succession.
F
I
think
I
created
four
issues
like
this
and
I
I
still
feel
bad
about
this,
because
it
turns
out
that
the
the
maintainers
of
exif
two
were
not
okay
with
this
and
in
fact,
were
feeling
really
feeling
like
they
were
under
siege
from
security
researchers,
who
were
reporting
bugs
like
this
via
public
issues
on
their
their
project,
and
it
was
distracting
them
from
what
they
really
wanted
to
do,
which
was
create
a
useful
tool
for
image
metadata.
They
didn't
want
to
spend
all
their
time.
F
F
When
I
got
this
response
from
robin
mills
who's,
the
was
the
the
primary
maintainer
of
exif
ii
at
the
time,
and
so
he
wrote
this
wrote
this
reply
to
me
on
one
of
the
issues
that
I
created
and
he
he
explained
how
they're
actually
just
a
small
group
of
volunteers
and
it
it
became
clear
from
when
conversations
that
I
had
with
him
how
sort
of
under
siege
they
were
feeling
and
how
upsetting
they
were
finding
these.
F
This
continuous
stream
of
bug
reports,
and
so
he
asked
me
if
I'd
be
willing
to
help
out
with
fixing
these
bugs,
and
so
I
said,
yeah
sure
I'm
happy
to
for
me.
F
It
was
really
interesting
as
a
a
project
to
work
on,
because
I
was
interested
to
see
what
it's
like
dealing
with
these
kinds
of
security
issues
and
what
it's
like
to
be
an
open
source
maintainer
having
to
to
deal
with
these
kinds
of
problems,
and
so
my
interest
in
xf2
has
always
been
the
security
side
and
I'm
not
a
photographer
myself,
and
so
the
the
actual
image
metadata
thing
is
of
relatively
little
interest
to
me,
but
I'm
interested
in
making
hardening
exif
2
so
that
the
other
contributors
to
xf2
can
get
on
with
the
stuff
that
they
find
interesting
and
not
having
to
keep
deal
with
these.
F
So
after
I'd
fixed
the
handful
of
issues
that
I'd
found
through
manual
audit,
one
of
the
contributors
called
dan
told
me.
Well,
he
predicted
that
if
I
ran
a
fuzzer
on
exif
2
that
I
would
find
hundreds
of
issues,
and
so
he
showed
me
how
to
run
afl
the
afl
fuzzer
on
exif,
2.
and
sure
enough
I
mean
it
was
it
was.
F
It
was
just
carnage
the
the
results
from
afl
afl
running
it
on
max
of
t,
and
so
you
can
see
here
in
this
report
that
it's
saying
that
there's
260
or
so
crashes
found
in
exif
2,
so
that
that
just
seemed
like
a
really
scary
number,
but
in
fact
it
turned
out
to
be
not
quite
as
bad
as
as
as
it
seemed
at
first
I
mean
so.
F
It
looked
like
there
were
hundreds
of
bugs
in
xf2,
but
in
fact
I
got
started
on
fixing
these
things
and,
for
the
most
part,
the
bugs
were
actually
very
easy
to
fix.
I
mean
it
was
usually
just
a
case
of
sticking
in
an
extra
if
statement,
to
check
that
an
integer
was
within
certain
bounds,
so
in
order
to
prevent
an
overflow.
F
So
for
the
most
part,
these
bug
fixes
were
very,
very
simple.
It's
usually
just
a
couple
of
lines
of
changes
to
the
code
and
after
I'd
fixed
after
I
created
24,
pull
requests
and
had
them
merged.
F
F
So
that
seemed
like
the
end,
it
seemed
seemed
like
the
problem
was
problem
was
solved
and
we
could
we
could
declare
it
job
done
and
move
on
and
in
fact
that
did
seem
to
be
the
case
for
quite
a
while.
But
unfortunately,
two
years
later,
these
bug
reports
started
coming
back
in
again,
and
so
this
is.
This
is
one
example
from
april
of
2021
and
it
seemed
to
start
a
new
new
series
of
these.
F
These
bug
reports
coming
in
again
as
public
issues
on
the
on
the
project
page
and
I'm
assuming
that
the
people
filing
these
these
bug
reports
were
fuzzing,
exif
2,
because
these
again
look
like
fuzzer
generated
bug
reports.
F
So
this
time
I
decided.
Okay,
we're
gonna,
we're
gonna,
get
professional
about
this
and
we're
gonna
put
some
processes
in
place
so
that
this
doesn't
keep
keep
happening.
So
we're
really
gonna
shut
this
down,
make
sure
that
exif
2
is
really
bulletproof
and
doesn't
have
any
more
of
these
kinds
of
bugs
in
it,
and
so
there
are
three
main
things
that
we
did
listed
out
here.
F
So
the
first
was
we
created
a
security
advisory
process
so
that
people
could
actually
there'd
be
information
on
the
the
repository
on
how
to
report
a
vulnerability
so
that
people
stop
creating
these
public
issues.
Secondly,
we
enabled
code
scanning
and
thirdly,
we
enrolled
exif
2
in
oss
files.
Oss
files
is
google's
fuzzing
project
for
open
source
software.
It's
a
free
service
provided
by
google.
It's
really
cool.
F
So
if
you
put
a
file
called
security.md
in
your
repository,
then
that
will
be
displayed
on
the
security
tab
of
your
project
and
it's
a
good
place
to
give
contact
information.
So
if
you
find
a
vulnerability,
this
is
who
you
should.
This
is
huge
contact,
and
what
we've
also
done
on
the
exit,
2
security.md,
is
specify
what
is
and
isn't
a
vulnerability.
F
F
Oh
yeah,
and
so
I
I've
actually
just
put
my
own
email
address
in
security.md,
so
that
if
somebody
finds
a
vulnerability
in
xf2
they
just
they
just
email
me.
I
think
not
everybody's
gonna
wanna.
Do
that.
I
I
wanted
to
just
get
this
thing
set
up
quickly,
but
if
you
wanted
to
do
this
differently,
you
could
create
a
security
at
myorganization.com
type
of
email
address
to
handle
security
security
reports.
F
F
F
The
other
two
features
of
the
ghsa
system
are
really
really
handy.
Are
you
can
request
a
cve
through
the
ghs
sa?
So
that's
now
a
really
easy
process.
A
few
years
ago,
getting
a
cve
was
slightly
cumbersome
process,
but
now
it's
just
a
button.
Click
in
your
ghsa
and
also
you
can
develop
a
fix
on
a
temporary
private
fork,
so
that
allows
you
to
confidentially,
develop
the
fix
and
then
at
the
time
that
you
publish
that
fix,
gets
merged
into
your
main
branch.
So
everything
goes
live
at
the
same.
The
same
moment.
F
Okay,
so
the
second
of
my
blog
posts
in
in
the
the
series
of
blog
posts,
I
jokingly
called
it
kev's
three
rules
of
bug
fixing.
So
when
you
do
find
a
bug
in
your
project,
I
think
it's
really
important
to
not
just
fix
the
bug,
but
do
a
couple
of
other
things
as
well.
So,
first
of
all,
it's
really
important
to
add
a
regression
test
and
the
reasons
why
I
think
regression
tests
are
really
important
is
first
of
all
I
mean
it
means
that
that
that
exact
bug
can
never
happen
again.
F
But
in
fact
that's
pretty
unlikely
that,
if
anybody's
going
to
reintroduce
the
exact
same
bug
again,
but
what
it
does,
which
is
really
important
is
it
creates
code
coverage
for
your
bug
fix
a
lot
of
the
time.
A
bug
fix
is
going
to
be
a
new
if
statement
in
the
code
and
so
by
adding
a
regression
test.
It
means
you
have
coverage
for
that
for
that
bug
fix.
So,
if
anybody's
ever
wondering.
F
So
now,
second
step
is
obviously
fix
the
bug,
but
the
third
step
is
another
one
that
I
think
is
really
important.
A
lot
of
the
time
bugs
are
not
unique.
So
if
you
have
a
bug,
then
there's
good
chance.
You
have
that
same
bug
elsewhere
in
the
code
base,
and
so
it's
really
really
important
to
look
for
variants
and
make
sure
that
you've
fixed
them
all,
rather
than
just
fixing
the
one.
The
one
bug
that
you
have
a
test
case
for.
F
F
Secondly,
there's
commit
where
I
fix
the
bug,
and
thirdly,
there's
a
commix
work
commit
where
I
fixed
some
some
variants
of
that
bug
and
the
way
that
I
found
those
variants
was
using
a
code.
Qr
query.
So
just
a
simple
code
called
query
that
looks
for
other
places
in
the
code
where
similar
problems
might
have
happened,.
F
So
code
scanning
is
a
feature
that
github
has
and
it's
really
easy
to
to
switch
on.
So
all
you
need
to
do
to
switch
on
code
scanning
on
your
code
base.
Is
you
go
to
the
security
tab
of
your
project
and
you
click
the
little
button
that
says
setup
code
scanning
and
what
that's
going
to
do
is
it's
going
to
add
a
file
to
your
project
in
the
github
subdirectory.
It's
going
to
have
a
workflow
file
that
will
automatically
run
the
codeql
based
code
scanning
on
every
pull
request.
F
One
of
the
cool
things
about
it
is
it's
also
customizable,
so
the
default
suite
of
checks
that
are
used
by
code
scanning
when
you,
when
you
switch
it
on,
are
quite
conservative
and
they'll
only
reports.
F
It
will
only
run
the
checks
that
we
have
confirmed
a
very
high
accuracy,
so
some
of
the
some
of
the
other
checks
that
that
have
been
written
don't
get
run
because
they
might
have
a
higher
false
positive
rate,
and
so
we
don't
switch
them
on
by
default.
But
you
can
cost
customize
your
own
configuration
your
code
scanning
configuration
for
your
project
so
that
it
adds
more
of
those
checks.
F
If
you
find
other
checks
that
are
useful
for
finding
bugs
that
are
relevant
to
your
project,
then
you
can
switch
them
on
and
you
can
also
write,
custom,
codeql,
queries
and
add
them
to
your
configuration.
So
that's
one
of
the
things
that
we've
done
for
xf2
is:
we've
added
a
few
custom
code,
qr
checks
to
to
find
variants
of
bugs
that
have
happened
in
the
xf2
project
in
the
past.
F
So
this
is
an
example
of
a
pull
request
where
I'm
adding
a
custom.
Coquel
query
to
xiv2,
and,
and
so
we've
now
got
the
configuration
set
up
so
that
just
to
add
a
new
check
to
xf2,
all
you
need
to
do
is
drop
a
file
with
a
dot
ql
extension
into
this
subdirectory
and
then
that
now
gets
automatically
run
on
every
pull
request
and
and-
and
so
this
was
a.
F
So
the
final
thing
that
we
did
was
we
enrolled
exif
2
in
oss
fuzz,
so
oss
files,
as
I
mentioned
earlier,
is
google's
fuzzing
service
and
it's
it's
really
awesome
because
it
runs
24
7.,
so
your
project
is
being
fuzzed
continuously,
which
so
the
amount
of
computing
power
that
google
are
now
throwing
at
x
of
2
is
far
bigger
than
I
ever
did
when
I
was
fuzzing
exif
2
manually
by
myself,
and
so
every
once
in
a
while.
One
of
these
things
will
come
in
as
of
this
moment,
we're
completely
clean.
F
We
have
no
no
open
issues
with
oss
fuzz,
but
it's
it's
really
nice
to
have
this
this
running
continuously,
so
that
you,
you
know
that
you're
always
a
step
ahead
of
of
of
people
who
are
trying
to
find
bugs
in
in
exif
2,
because
it's
really
hard
for
them
to
compete
with
the
amount
of
computing
power
that
oss
fuzz
is
throwing
at
this
to
find
bugs
in
xf2
so
yeah.
F
This
chart
shows
the
oss
false
issues
have
been
found
over
time
in
in
exif
2..
So
you
can
see
that
we,
we
started
oss
files
in
august
of
2021
and
initially
it
found
quite
a
few
issues,
and
that
was,
although
we'd
try
to
iron
out
the
bugs
before
we
enrolled
in
exif
2.
F
It
still
managed
to
find
a
few
few
more
because
it's
it's
fuzzing
so
much
more
thoroughly
than
we
were
able
to
do
when
we
were
just
running
it
kind
of
manually
on
our
own
computers,
so
it
found
a
bunch
of
bugs
initially
and
then
it
really
started
to
level
off,
and
at
this
point
the
only
bugs
that
it
seems
to
be
finding
are
ones
that
have
been
accidentally
introduced
during
development.
F
So
this
is
an
example
of
one
of
the
bugs
that
that
it
caught,
and
this
this
one
made
me
really
really
happy
that
it
that
it
caught
this.
So
what
happened
here
was
that
there
was
a
feature
that
was
added
and
it
was
added
on
the
name
branch,
but
also
this
was
a
a
feature
that
we
wanted
to
actually
roll
out
relatively
quickly
in
one
of
the
released
versions
of
exif
2
as
well.
F
So
not
only
did
it
go
on
the
main
branch,
but
it
also
went
onto
the
the
0.27
maintenance
branch
which
will
eventually
make
it
into
release,
but
it
hadn't
been
sent
out
as
a
new
release
yet
and
an
oss
fuzz
found
this
bug
quite
quickly
and
one
of
the
things
that
was
really
quite
pleasing
about
this
was
that
it
seems
that
there's
a
bunch
of
external
security
researchers
that
are
still
fuzzing
exit
2
on
a
regular
basis,
and
I
got
an
email
about
a
week
after
oss
fuzz
reported
this
problem.
F
To
me,
I
got
an
email
from
one
of
these
external
researchers.
Who'd
found
the
same
thing
and
I
I'd
been
a
bit
lazy
about
responding
to
the
oss
fuzz
problem.
I'd
seen
it,
but
I
hadn't
investigated
it
yet,
but
it's
still
it
was.
It
was
a
lag
time
of
about
a
week
between
us
as
fuzz,
finding
something
and
then
external
people
finding
the
same
thing
through
their
own,
their
own
fuzzing.
So
it
shows
how
powerful
the
system
is.
F
So
to
enroll
in
oss
files
is
relatively
straightforward.
All
you
have
to
do
is
you
have
to
send
a
pull
request
to
the
oss
files
repository
on
github,
and
it
essentially
needs
to
contain
three
files.
F
It
needs
to
contain
a
docker
file
which
tells
it
how
to
install
software
that
you
need
in
order
to
build
and
run
your
project,
and
then
you
give
it
a
build.sh
file
which
gives
instructions
on
how
to
build
your
project
and
a
project.yaml
which
contains
some
information
like
the
url
of
the
project
and
the
contact
details
of
the
of
the
person
who's
going
to
respond
to
the
the
bugs
found
by
oss
fuzz.
F
Most
of
the
work,
to
be
honest,
happens
before
you
get
to
this
point,
because
you
need
to
make
sure
that
your
project
is
completely
clean.
So
it
actually
took
us
a
few
months
to
sort
of
iron
out
all
the
bugs
that
we
were
aware
of,
so
that
we
would
get
as
few
results
as
possible
once
we
were
in
enrolled
in
oss
files
and
also
we
had
to
tinker
with
our
build
system,
because
oss
fuzz
wants
to
be
able
to
insert
its
own
compilers
and
modify
the
compiler,
the
the
compiler
flags
and
so
on.
F
F
So,
to
conclude,
these
are
the
the
four
main
recommendations
that
I
have
for
how
to
improve
the
security
posture
of
your
open
source
project.
So,
first
of
all,
you
should
have
a
security
process,
so
you
should
have
a
security.md
with
contact
details
and
I
recommend
using
the
github
security
advisories
when
you
do
have
a
security
issue
in
order
to
request
a
cve
and
publish
an
advisory
three.
F
My
three
rules
of
bug
fixing
are
that
you
should
not
just
fix
the
bug,
but
you
should
also
add
a
regression
test
every
time
and
also
look
for
variants
of
that
bug
and
fix
them
as
well,
so
that
you're
fixing
bugs
thoroughly
code
scanning
is
really
easy
to
switch
on
in
on
github,
and
it
will
help
you
to
find
extra
problems
in
your
repository
and
you
can
enhance
it
with
extra
checks
either
by
turning
on
more
more
of
the
more
of
the
checks
that
have
been
written
by
by
github
or
other
people,
or
you
can
even
add
your
own
custom
queries
to
the
the
code
scanning
configuration
and
finally,
continuous
fuzzing
is
hugely
hugely
valuable,
and
so
we've
done
that
for
xf2,
and
it's
really
helping
to
stop
new
bugs
from
creeping
into
xf2.
C
B
Oh
my
gosh,
I
can't
believe
the
day
is
almost
over
a
mole
well
before
a
mole
gives
details
about
our
last
session
of
the
day.
Here
is
a
quick
overview
of
day
three.
Tomorrow
we
are
celebrating
students
and
academics,
so
our
keynote
will
be
talking
about
all
things:
github
education
by
moira
hardik,
who
is
a
hubber.
B
B
We
have
a
panel
discussion
where
we
deep
dive
on
the
creator
economy
and
its
impact
in
modern
education,
and
we
have
so
many
more
spotlight
sessions,
workshops
for
students
and
educators
and
some
contacts
as
well.
Thank
you
so
much
viewers
for
tuning
in
to
our
security
track.
Amul.
Do
you
want
to
share
details
of
our
last
amazing
session
for
all
our
viewers
out
there.