How to Analyze Code for Vulnerabilities using Joern
▬▬▬▬▬▬ ABSTRACT & BIO 📝 ▬▬▬▬▬▬
Code analysis is the process of analyzing the code of a program to find security vulnerabilities. It is the most effective way to identify many types of security issues, from injection vulnerabilities to issues like leaked secrets and vulnerable dependencies. But the process of manually analyzing code for vulnerabilities can be very time-consuming. Is there a better way to do this?
In this episode, Vickie and Suchakra will demonstrate how to use the open-source code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions? This is the second edition of How to analyze code for vulnerabilities (https://www.youtube.com/watch?v=A8CNysN-lOM), this time, they’ll talk about how to do it efficiently using Joern.
VICKIE
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/c/vickielidev.
Vickie Li, Developer Evangelist, ShiftLeft
Twitter ► https://twitter.com/vickieli7
Website ► https://vickieli.dev
YouTube ► https://www.youtube.com/c/vickielidev
SUCHAKRA
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace-based virtual machine analysis techniques. He has delivered talks and training at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Suchakra Sharma, Staff Scientist, ShiftLeft Inc.
Twitter ► https://twitter.com/tuxology
▬▬▬▬▬▬ LINKS 🔗 ▬▬▬▬▬▬
Joern Documentation ► https://docs.joern.io
Joern query database ► https://queries.joern.io
Joern Community ► https://discord.gg/ff3ahcFrJq
▬▬▬▬▬▬ DEMO 💻 ▬▬▬▬▬▬
Download VLC v3.0.12 source and extract in a convenient directory
$ wget http://get.videolan.org/vlc/3.0.12/vlc-3.0.12.tar.xz
$ tar -xvf vlc-3.0.12.tar.xz
Download Joern and install
$ wget https://github.com/joernio/joern/releases/latest/download/joern-install.sh
$ chmod +x ./joern-install.sh
$ sudo ./joern-install.sh
▬▬▬▬▬▬ Producer 🎥 ▬▬▬▬▬▬
Nancy Gariché ► https://www.linkedin.com/in/nancygariche
▬▬▬▬▬▬ Hosts 🎙️ ▬▬▬▬▬▬
Bec ► https://twitter.com/errbufferoverfl
James ► https://twitter.com/devec0
Lilly ► https://twitter.com/attacus_au
Mimi ► https://www.instagram.com/p0kemina/
▬▬▬▬▬▬ Connect with Us 👋 ▬▬▬▬▬▬
YOUTUBE ► https://www.youtube.com/c/OWASPDevSlop/
DEV ► https://dev.to/devslop
INSTAGRAM ► https://www.instagram.com/owaspdevslop/
TWITTER ► https://twitter.com/Owasp_DevSlop
Видео How to Analyze Code for Vulnerabilities using Joern канала OWASP DevSlop
Code analysis is the process of analyzing the code of a program to find security vulnerabilities. It is the most effective way to identify many types of security issues, from injection vulnerabilities to issues like leaked secrets and vulnerable dependencies. But the process of manually analyzing code for vulnerabilities can be very time-consuming. Is there a better way to do this?
In this episode, Vickie and Suchakra will demonstrate how to use the open-source code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions? This is the second edition of How to analyze code for vulnerabilities (https://www.youtube.com/watch?v=A8CNysN-lOM), this time, they’ll talk about how to do it efficiently using Joern.
VICKIE
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/c/vickielidev.
Vickie Li, Developer Evangelist, ShiftLeft
Twitter ► https://twitter.com/vickieli7
Website ► https://vickieli.dev
YouTube ► https://www.youtube.com/c/vickielidev
SUCHAKRA
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace-based virtual machine analysis techniques. He has delivered talks and training at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Suchakra Sharma, Staff Scientist, ShiftLeft Inc.
Twitter ► https://twitter.com/tuxology
▬▬▬▬▬▬ LINKS 🔗 ▬▬▬▬▬▬
Joern Documentation ► https://docs.joern.io
Joern query database ► https://queries.joern.io
Joern Community ► https://discord.gg/ff3ahcFrJq
▬▬▬▬▬▬ DEMO 💻 ▬▬▬▬▬▬
Download VLC v3.0.12 source and extract in a convenient directory
$ wget http://get.videolan.org/vlc/3.0.12/vlc-3.0.12.tar.xz
$ tar -xvf vlc-3.0.12.tar.xz
Download Joern and install
$ wget https://github.com/joernio/joern/releases/latest/download/joern-install.sh
$ chmod +x ./joern-install.sh
$ sudo ./joern-install.sh
▬▬▬▬▬▬ Producer 🎥 ▬▬▬▬▬▬
Nancy Gariché ► https://www.linkedin.com/in/nancygariche
▬▬▬▬▬▬ Hosts 🎙️ ▬▬▬▬▬▬
Bec ► https://twitter.com/errbufferoverfl
James ► https://twitter.com/devec0
Lilly ► https://twitter.com/attacus_au
Mimi ► https://www.instagram.com/p0kemina/
▬▬▬▬▬▬ Connect with Us 👋 ▬▬▬▬▬▬
YOUTUBE ► https://www.youtube.com/c/OWASPDevSlop/
DEV ► https://dev.to/devslop
INSTAGRAM ► https://www.instagram.com/owaspdevslop/
TWITTER ► https://twitter.com/Owasp_DevSlop
Видео How to Analyze Code for Vulnerabilities using Joern канала OWASP DevSlop
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint Gibler
OWASP DevSlop Show: Rapid Threat Model Prototyping with Geoffrey Hill!
DevSlop Game Day Recap & Solution with Renan Dias
Privilege Escalation in the Cloud with Carlos Polop
Threats Against Application Identities in the Microsoft Cloud
The Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!
Github Actions Security Best Practices with Reethi Kotti
Containers in a nutshell — ähm pod! Containers in a pod
Knock Your SOCs Off: Modernizing Security Operations with Kat Sweet!
Shifting Cloud Security Left: Scanning Infrastructure as Code for Security Issues
Logging & Monitoring on AWS 101 with Veliswa Boya! - OWASP DevSlop
AppSec at the Speed of DevOps: 3 Common Mistakes with Erica Anderson!
GitOps and Best Practices for Managing Infrastructure with Javeria Khan!
Vulnerability Writeups: The Magical 5 Minute Formula
Ceci n'est pas une Pipeline: is it CI/CD or WHAT?
Compromised Compilers - A new perspective of supply chain cyber attacks
Automating Cloud Security with Open Policy Agent with Josh Stella! - OWASP DevSlop
Cloud Security and IAM for Developers
Yellow Team + Blue Team = Green Team
Account Security beyond 2FA with Neil Matatall