/* BlazingWind */

CodeQL series by Sylwia Budzynska (@BlazingWindSec) Static analysis fundamentals: github.blog/developer-skil… Getting started: github.blog/developer-skil… Security research: github.blog/security/vulne… Gradio framework case study: github.blog/security/vulne… Debugging queries: github.blog/security/vulne… #infosec

It doesn't happen very often, but Project Zero is hiring! goo.gle/41DBQBY Please share with anyone you think would be awesome for the role 🎉 Looking for at least one person. DMs open if you want to reach out about the role. The team: youtu.be/My_13FXODdU

🎉 Excited to announce the launch of CodeQL Community Packs for Security teams and researchers! 🚀 Supercharge your code analysis with new Query, Model, and Library packs, to find more vulnerabilities, accelerate codebases audit, and secure code effortlessly. github.blog/security/vulne…

A new free tier of GitHub Copilot in @code. ✅ 2,000 code completions per month 💬 50 chat messages per month 💫 Models like Claude 3.5 Sonnet or GPT-4o ♥️ More fun for you Check it out today! Oh yeah, and we passed 150M developers on GitHub 💅 github.blog/news-insights/…

🎉 You can now enable code scanning in your GitHub Actions workflow files! ✅ By opting-in to this feature, you can enhance the security of repositories using GitHub Actions. github.blog/changelog/2024…

29 new vulnerabilities found in GStreamer by @nosoynadiemas! Click to learn how to improve fuzzing results with custom generators. github.blog/security/vulne…

If you dont have time to go through a 1000 page book about compilers but you are curious about them you might follow this instead lowlevelbits.org/how-to-learn-c…

🔥🔥🔥

🚀 CodeQL zero to hero part 4: Gradio case study is out! This time we dive into how I wrote CodeQL to support the Gradio framework, scaled the research to a thousand repositories on GitHub, and found 11 vulnerabilities. gh.io/codeql-part-4

@pwntester @artsploit The number of CVEs on this picture is:

Enjoying #ekoparty with my JNDI bro @artsploit

I've wanted to contribute to @freeCodeCamp for a while, and now I got a chance. Happy to help secure one of the best platforms for learning programming 🤩

Aaaaand that's a wrap! Very fun to be on the organizing side of a CTF for once. In the end, Conversationalist was solved 20 times and Global Backups only had 1 solve by @havce_ctf! I've published detailed writeups/source code for both challenges below: github.com/JorianWoltjer/…

📌 "Security in Action(s): Detectando Vulnerabilidades en GitHub Actions con CodeQL" dictada por Alvaro Muñoz I @DevSecOps_eko I Sala A2 I #EKO2024

"Breaking corporate Maven repositories" dictada por @artsploit I Sala E - MainTrack #EKO2024 🔥

Want to learn how to secure your browser extensions? Read our latest blog post where we talk about the security model of browser extensions and how developers can keep them secure. github.blog/security/vulne…

Charlas MainTrack #EKO2024 🔥 📌 @artsploit, Security Researcher at GitHub Security Lab 💡 “Breaking corporate Maven repositories”: In the Java ecosystem, companies often use in-house repository managers, such as Sonatype Nexus or JFrog Artifactory, to store artifacts and cache their dependencies locally. This helps to provide certainty and security about used dependencies, but it also brings a whole new attack surface. In this presentation, I’ll reveal some intriguing vulnerabilities and CVEs that I've recently found in popular Maven repository managers. I'll illustrate how specially crafted artifacts can be used to attack not the users, but the repository managers that distribute them. Finally, I'll demonstrate some exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts. This research might be interesting to people who specialize in web, Java or supply chain security. All vulnerabilities mentioned in the outline are already patched, but some of them are not public yet. I'm going to fully disclose them on the day of the conference. A full whitepaper will be published alongside the presentation. Note: I can also make it as a lightning talk if necessary. ✅ Esta charla será dictada en inglés. 📍 13, 14 y 15 de noviembre en el CEC - Buenos Aires 🎟️ ¡Registrate gratis hasta el 31/10! >> entradas.ekoparty.org 🚀 Podés ver la agenda completa en ekoparty.org/agenda

Which lock picking sets do folks recommend for a student hacking club that wants to do it as fun workshop for beginners? Preferably a set that comes with a few easier and medium-hard locks, or a few that are modifiable.

@Michael1026H1 @ngalongc Would be very interested to read a writeup about how you use CodeQL if you'd be up for sharing! 👀

@ngalongc I really like CodeQL with custom rules for things like authorization issues.

Yesterday, I had a blast presenting "Finding vulnerabilities with CodeQL" workshop OrangeCon. Thank you to the organizers for creating such a great conference @OrangeCon_nl 👏👏

@orange_8361 @OrangeCon_nl It was nice meeting you and chatting yesterday!

Thanks for having me! The 🍊 family is getting bigger! 💪 @OrangeCon_nl #OrangeCon