How to Analyze Code for Vulnerabilities using Joern
▬▬▬▬▬▬ ABSTRACT & BIO 📝 ▬▬▬▬▬▬
Code analysis is the process of analyzing the code of a program to find security vulnerabilities. It is the most effective way to identify many types of security issues, from injection vulnerabilities to issues like leaked secrets and vulnerable dependencies. But the process of manually analyzing code for vulnerabilities can be very time-consuming. Is there a better way to do this?
In this episode, Vickie and Suchakra will demonstrate how to use the open-source code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions? This is the second edition of How to analyze code for vulnerabilities (https://www.youtube.com/watch?v=A8CNysN-lOM), this time, they’ll talk about how to do it efficiently using Joern.
VICKIE
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/c/vickielidev.
Vickie Li, Developer Evangelist, ShiftLeft
Twitter ► https://twitter.com/vickieli7
Website ► https://vickieli.dev
YouTube ► https://www.youtube.com/c/vickielidev
SUCHAKRA
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace-based virtual machine analysis techniques. He has delivered talks and training at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Suchakra Sharma, Staff Scientist, ShiftLeft Inc.
Twitter ► https://twitter.com/tuxology
▬▬▬▬▬▬ LINKS 🔗 ▬▬▬▬▬▬
Joern Documentation ► https://docs.joern.io
Joern query database ► https://queries.joern.io
Joern Community ► https://discord.gg/ff3ahcFrJq
▬▬▬▬▬▬ DEMO 💻 ▬▬▬▬▬▬
Download VLC v3.0.12 source and extract in a convenient directory
$ wget http://get.videolan.org/vlc/3.0.12/vlc-3.0.12.tar.xz
$ tar -xvf vlc-3.0.12.tar.xz
Download Joern and install
$ wget https://github.com/joernio/joern/releases/latest/download/joern-install.sh
$ chmod +x ./joern-install.sh
$ sudo ./joern-install.sh
▬▬▬▬▬▬ Producer 🎥 ▬▬▬▬▬▬
Nancy Gariché ► https://www.linkedin.com/in/nancygariche
▬▬▬▬▬▬ Hosts 🎙️ ▬▬▬▬▬▬
Bec ► https://twitter.com/errbufferoverfl
James ► https://twitter.com/devec0
Lilly ► https://twitter.com/attacus_au
Mimi ► https://www.instagram.com/p0kemina/
▬▬▬▬▬▬ Connect with Us 👋 ▬▬▬▬▬▬
YOUTUBE ► https://www.youtube.com/c/OWASPDevSlop/
DEV ► https://dev.to/devslop
INSTAGRAM ► https://www.instagram.com/owaspdevslop/
TWITTER ► https://twitter.com/Owasp_DevSlop
Видео How to Analyze Code for Vulnerabilities using Joern канала OWASP DevSlop
Code analysis is the process of analyzing the code of a program to find security vulnerabilities. It is the most effective way to identify many types of security issues, from injection vulnerabilities to issues like leaked secrets and vulnerable dependencies. But the process of manually analyzing code for vulnerabilities can be very time-consuming. Is there a better way to do this?
In this episode, Vickie and Suchakra will demonstrate how to use the open-source code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions? This is the second edition of How to analyze code for vulnerabilities (https://www.youtube.com/watch?v=A8CNysN-lOM), this time, they’ll talk about how to do it efficiently using Joern.
VICKIE
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/c/vickielidev.
Vickie Li, Developer Evangelist, ShiftLeft
Twitter ► https://twitter.com/vickieli7
Website ► https://vickieli.dev
YouTube ► https://www.youtube.com/c/vickielidev
SUCHAKRA
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace-based virtual machine analysis techniques. He has delivered talks and training at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Suchakra Sharma, Staff Scientist, ShiftLeft Inc.
Twitter ► https://twitter.com/tuxology
▬▬▬▬▬▬ LINKS 🔗 ▬▬▬▬▬▬
Joern Documentation ► https://docs.joern.io
Joern query database ► https://queries.joern.io
Joern Community ► https://discord.gg/ff3ahcFrJq
▬▬▬▬▬▬ DEMO 💻 ▬▬▬▬▬▬
Download VLC v3.0.12 source and extract in a convenient directory
$ wget http://get.videolan.org/vlc/3.0.12/vlc-3.0.12.tar.xz
$ tar -xvf vlc-3.0.12.tar.xz
Download Joern and install
$ wget https://github.com/joernio/joern/releases/latest/download/joern-install.sh
$ chmod +x ./joern-install.sh
$ sudo ./joern-install.sh
▬▬▬▬▬▬ Producer 🎥 ▬▬▬▬▬▬
Nancy Gariché ► https://www.linkedin.com/in/nancygariche
▬▬▬▬▬▬ Hosts 🎙️ ▬▬▬▬▬▬
Bec ► https://twitter.com/errbufferoverfl
James ► https://twitter.com/devec0
Lilly ► https://twitter.com/attacus_au
Mimi ► https://www.instagram.com/p0kemina/
▬▬▬▬▬▬ Connect with Us 👋 ▬▬▬▬▬▬
YOUTUBE ► https://www.youtube.com/c/OWASPDevSlop/
DEV ► https://dev.to/devslop
INSTAGRAM ► https://www.instagram.com/owaspdevslop/
TWITTER ► https://twitter.com/Owasp_DevSlop
Видео How to Analyze Code for Vulnerabilities using Joern канала OWASP DevSlop
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes with Semgrep with Clint GiblerOWASP DevSlop Show: Rapid Threat Model Prototyping with Geoffrey Hill!DevSlop Game Day Recap & Solution with Renan DiasPrivilege Escalation in the Cloud with Carlos PolopThreats Against Application Identities in the Microsoft CloudThe Act of Balancing: Burnout in Cybersecurity with Chloé Messdaghi!Github Actions Security Best Practices with Reethi KottiContainers in a nutshell — ähm pod! Containers in a podKnock Your SOCs Off: Modernizing Security Operations with Kat Sweet!Shifting Cloud Security Left: Scanning Infrastructure as Code for Security IssuesLogging & Monitoring on AWS 101 with Veliswa Boya! - OWASP DevSlopAppSec at the Speed of DevOps: 3 Common Mistakes with Erica Anderson!GitOps and Best Practices for Managing Infrastructure with Javeria Khan!Vulnerability Writeups: The Magical 5 Minute FormulaCeci n'est pas une Pipeline: is it CI/CD or WHAT?Compromised Compilers - A new perspective of supply chain cyber attacksAutomating Cloud Security with Open Policy Agent with Josh Stella! - OWASP DevSlopCloud Security and IAM for DevelopersYellow Team + Blue Team = Green TeamAccount Security beyond 2FA with Neil Matatall