Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open-Source_Security.pdf

Sahil Dari
April 22, 2024
0
6

 Open-Source_Security.pdf

Sahil Dari

April 22, 2024
Tweet

More Decks by Sahil Dari

See All by Sahil Dari
BSides Jaipur
sahildari
0
12

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Faster Mobile Websites
deanohume
305
30k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
520
YesSQL, Process and Tooling at Scale
rocio
169
14k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
170
Agile that works and the tools we love
rasmusluckow
328
21k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k

Transcript

  1. OPEN-SOURCE SECURITY SAHIL DARI – APRIL 2024 – NULL KIET

    GHAZIABAD

  2. ABOUT YOUR SPEAKER  Hi, I’m Sahil Dari  AppSec

    Professional from 3.5 years now, currently I’m working at eSecForte Technologies Pvt. Ltd.  Proficient in AppSec(Web, API, SAST, Android) and Threat Modeling  CVEs: CVE-2023-37635, CVE-2023-37636, CVE-2024-3137, CVE-2024- 31061, CVE-2024-31062, CVE-2024-31063, CVE-2024-31064, CVE-2024- 31065.  /in/sahildari /sahildari /sahildari

  3. WHAT IS OPEN-SOURCE SECURITY Nowadays, most companies use open-source software.

    Even if they don’t use standalone open-source applications, most applications use third-party and open-source libraries and components If these open-source components contain exploitable vulnerabilities or malicious functionality, they can expose the organization’s applications to attack.

  4. HOW TO CONTRIBUTE TO OPEN-SOURCE PROJECTS Choose from various things:

    • Platform (github.com, gitlab.com, code.onedev.io, codeberg.org, gitea.com, etc.) • Language (C#, C++, Java, Python, Ruby, etc.) • Organisation (Apple, GitHub, Meta, Amazon, Google or some small scaled companies) • Installable or not • Personal Tech Stack

  5. TYPES OF BUGS TO FIND Access Control Related Issues Injection

    Related Issues Security Misconfigurations Hardcoding Issues Dependency Injection and many more…

  6. ACCESS CONTROL EXAMPLE CODE IN C#

  7. SQL INJECTION EXAMPLE CODE IN C#

  8. HTTP SECURITY HEADERS EXAMPLE CODE IN C#

  9. HARDCODING ISSUES EXAMPLE CODE IN C#

  10. STEPS TO CONTRIBUTE TO OPEN-SOURCE PROJECTS Find a Product or

    package you want to contribute to. Find a security Flaw in the repository. Look for the Security.md in the repository. Find the repository on [huntr.dev] and report the bug. If the repository is not found on [huntr.dev], report the vulnerability to the repository maintainer(s). If the repository is not found on [huntr.dev],Report the Security Vulnerability to [cveform.mitre.org].

  11. BENEFITS OF CONTRIBUTING TO OPEN SOURCE AS SECURITY RESEARCHER Get

    Recognized for your work. Get Awarded with CVEs. Increase your Skill Set. Ability to collaborate with people from allover the world. Monetary Benefits

  12. TOOLS AND RESOURCES  [Coverity Scan Static Analysis](https://scan.coverity.com/)  [HCL

    Appscan Codesweep](https://marketplace.visualstu dio.com/items?itemName=HCLTechnologi es.hclappscancodesweep)  [GitHub Dorks](https://shorturl.at/cFSY0)  [Scout](https://github.com/sahildari/scout)

  13. THANK YOU CONNECT ME ON SOCIAL PLATFORMS @SAHILDARI EMAIL ME:

    [email protected]