▬▬▬▬▬▬ ABSTRACT & BIO 📝 ▬▬▬▬▬▬
Code analysis is the process of analyzing the code of a program to find security vulnerabilities. It is the most effective way to identify many types of security issues, from injection vulnerabilities to issues like leaked secrets and vulnerable dependencies. But the process of manually analyzing code for vulnerabilities can be very time-consuming. Is there a better way to do this?
In this episode, Vickie and Suchakra will demonstrate how to use the open-source code analysis tool Joern to make code analysis more efficient. How do you effectively trace user input in code? How can you efficiently link bug sources to sensitive sink functions? This is the second edition of How to analyze code for vulnerabilities ( • How to Analyze Code fo... ), this time, they’ll talk about how to do it efficiently using Joern.
VICKIE
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: / vickielidev .
Vickie Li, Developer Evangelist, ShiftLeft
Twitter ► / vickieli7
Website ► vickieli.dev
KZbin ► / vickielidev
SUCHAKRA
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace-based virtual machine analysis techniques. He has delivered talks and training at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Suchakra Sharma, Staff Scientist, ShiftLeft Inc.
Twitter ► / tuxology
▬▬▬▬▬▬ LINKS 🔗 ▬▬▬▬▬▬
Joern Documentation ► docs.joern.io
Joern query database ► queries.joern.io
Joern Community ► / discord
▬▬▬▬▬▬ DEMO 💻 ▬▬▬▬▬▬
Download VLC v3.0.12 source and extract in a convenient directory
$ wget get.videolan.org/vlc/3.0.12/vl...
$ tar -xvf vlc-3.0.12.tar.xz
Download Joern and install
$ wget github.com/joernio/joern/rele...
$ chmod +x ./joern-install.sh
$ sudo ./joern-install.sh
▬▬▬▬▬▬ Producer 🎥 ▬▬▬▬▬▬
Nancy Gariché ► / nancygariche
▬▬▬▬▬▬ Hosts 🎙️ ▬▬▬▬▬▬
Bec ► / errbufferoverfl
James ► / devec0
Lilly ► / attacus_au
Mimi ► / p0kemina
▬▬▬▬▬▬ Connect with Us 👋 ▬▬▬▬▬▬
KZbin ► / owaspdevslop
DEV ► dev.to/devslop​
INSTAGRAM ► / ​
TWITTER ► / owasp_devslop