Defect to Doctrine: Security Bug Case Studies

Defect to Doctrine: Security Bug Case Studies

I am not a security research or bug bounty hunter. Just a humble programmer who has found and fixed some security bugs over the years. I admire exploit authors who take advantage of programmers' mistakes to penetrate, pivot and profit. But this is not that talk.

As an industry, we can (and must) improve the security of the the systems we write by learning from our mistakes. Every bug tells a story. Every story has a moral, if you care to look for it.

In this talk I will describe four different vulnerabilities in programs I worked on, including FreeIPA, Dogtag PKI and Firefox. I will explain what the bug was, it's impact, how it was discovered and how I resolved it. From each case study I will develop one or two important principles for secure programming.

This presentation will be most useful for programmers, engineering managers, and security folk who want an engineer's perspective on how issues arise and how to avoid them.


Fraser Tweedale

April 06, 2019