ML-assisted Listing and Search backend. Chin-Ming Huang Software engineer at Mercari since 2019, primarily focusing on ML price and Search backend. Mohit Pokharna
Average Total Cost of a breach in 2023 277 days Time to identify and contain a data breach 17% Data breaches with known unpatched vulnerabilities or unknown (zero-day) vulnerabilities Ref: IBM Report
Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers
Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax
Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax • Impacted over 147 million people including PII data
Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability • Mar 7th: security patch released by Apache Struts • Mar 12th: breach started at Equifax by hackers • Jul 29th (76 days later): breach was discovered by Equifax • Impacted over 147 million people including PII data
in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)."
identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. • There is one CVE Record for each vulnerability in the catalog. • The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. CVE Program (ref)
bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CVE Numbering Authorities (CNAs) (ref)
Keep your Go version and dependencies up to date. • Test with fuzzing to uncover edge-case exploits. • Check for race conditions with Go’s race detector. • Use Vet to examine suspicious constructs. • Subscribe to golang-announce for notification of security releases. Best Practices (ref)
Keep your Go version and dependencies up to date. • Test with fuzzing to uncover edge-case exploits. • Check for race conditions with Go’s race detector. • Use Vet to examine suspicious constructs. • Subscribe to golang-announce for notification of security releases. Best Practices (ref)
curated by the Go Security team. • Reports are formatted in the Open Source Vulnerability (OSV, Github) format and accessible through the API. Vulnerability Database
The latest time the database should be considered to have been modified, as an RFC3339-formatted UTC timestamp ending in "Z". /index/modules.json[.gz] Returns a list containing metadata about each module in the database. /index/vulns.json[.gz] Returns a list containing metadata about each vulnerability in the database. /ID/$id.json[.gz] (e.g. /ID/GO-2022-0191.json) Returns the individual report for the vulnerability with ID $id, in OSV format. ID format: GO-<YEAR>-<ENTRYID>
under the BSD-style license found in the LICENSE file. Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license. License (ref)
which may result in false positives or inaccurate call stacks in some cases. • Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported. Use of the unsafe package may result in false negatives. • Because Go binaries do not contain detailed call information, govulncheck cannot show the call graphs for detected vulnerabilities. It may also report false positives for code that is in the binary but unreachable. Limitations
See https://go.dev/issue/61211 for updates. • Govulncheck only reads binaries compiled with Go 1.18 and later. • For binaries where the symbol information cannot be extracted, govulncheck reports vulnerabilities for all modules on which the binary depends. Limitations
mohitpokharna08
kozy4324
izumii19
seike460
shihochan
nobutomurata
shift_evolve
ebiken
appleboy
shotatsuge
ks91
ota1022
oikon48
baasie
portentint
tenderlove
inesmontani
signer
auna
productmarketing
kastner
katarinadahlin
eileencodes
bermonpainter
![28 Default database URL: https://vuln.go.dev/ API (ref) API Description /index/db.json[.gz]](https://files.speakerdeck.com/presentations/84d2eacbb0364b59b2dbf05bb22c400a/slide_27.jpg){kind=link}
