Semmle

Big news! Semmle is joining the @Github team to bring community-powered security analysis to millions of developers. Learn more from Semmle CEO @oegerikus here: hubs.ly/H0kQZ2y0

ICYMI: We're running a CTF until December 31st. Write a CodeQL query to find a specific class of DOM-based XSS vulns. The 2 best submissions will win Nintendo Switches, and 10 additional entries will receive coupons that can be used for GitHub Swag. securitylab.github.com/ctf/jquery

We've just launched a new slack workspace for anyone interested in being part of the mission to secure the open source software we all depend on. ghsecuritylab.slack.com If you'd like to receive an invitation to join the workspace, send us a DM with your email address.

Yesterday we had our first GitHub Security Meetup, with ligthning talks by @kevin_backhouse @Nosoynadiemas @agustingianni and Abishek Arya (Google). But also with exciting discussions with security folks. Thanks to all attendees and others: stay tuned for the next one in January.

Learn how our security researcher @nicowaisman found wireless vulnerabilities in the Linux Kernel, and variants, thanks to CodeQL: securitylab.github.com/research/anato…

Want to challenge your vulnerability hunting skills? Try our latest Capture The Flag and discover XSS-unsafe jQuery plugins: securitylab.github.com/ctf/jquery

Check out the GitHub Security Lab bounty program! securitylab.github.com/bounties. Write a query, find bugs, get rewarded.

Welcome to the GitHub Security Lab @GHSecurityLab! Join us and contribute to secure the world's code! Visit securitylab.github.com

Want to learn more about QL and how you can use it to find variants of vulnerabilities in your code? Join us for our Semmle User Group this Wednesday night at Mozilla. See the event details for more information. meetup.com/Semmle-San-Fra…

Semmle security researcher @kevin_backhouse discloses another integer overflow vulnerability in libssh2, which could potentially lead to information disclosure blog.semmle.com/libssh2-intege…

Wondering how @fjserna found 13 CVEs in U-boot? Watch his #BlackHat presentation "Using One Exploitable Zero-Day to Eradicate an Entire Class of Vulnerabilities" on-demand: hubs.ly/H0l0c_V0

Is your code VUCA (Volatile, Uncertain, Complex, Ambiguous)? Let's see how the OODA Loops theory inspires our code review practices. hubs.ly/H0l0c_y0

Join us today for some @Semmle fun and examples of finding vulnerabilities! Let's democratize security

In this video, @kevin_backhouse discusses the libssh2 integer overflows and out-of-bounds read he recently discovered. See how it can be triggered by connecting to a malicious ssh server hubs.ly/H0l094z0

Imagine if your dev team could have automated code review powered by security expertise? Tomorrow, join @oegerikus and @fjserna to see how community-powered security can become a part of the developer’s workflow. hubs.ly/H0l092P0

Thanks for everyone that attend my QL workshop at #Ekoparty! Here is some of the material covered during the workshop: github.com/nicowaisman/QL…

Are unit tests really effective in preventing bugs? We analyzed over 50k LGTM projects in Java, Python, and Javascript to find out. hubs.ly/H0l17-D0

Now in beta! LGTM is supporting Golang and we have some projects that you can explore. Check them out and suggest others you'd like us to analyze. hubs.ly/H0l167w0

.@mmolgtm takes a deep dive into past Android #deserialization vulnerabilities that exploited C++ pointers wrapped inside Java objects. hubs.ly/H0k_Nrz0

Un honor tener a @nicowaisman en la eko, esta vez con su workshop "Cazando bugs con redes de pesca". Aprendimos cómo modelar bugs para encontrar vulnerabilidades 🎣 . Such an honor to have @nicowaisman at ekoparty, this time with his workshop "Hunting bugs with fishing nets" 🎣

Imagine if your dev team could have automated code review powered by security expertise? Join @oegerikus and @fjserna as they share their vision for community-powered secure development: hubs.ly/H0kZ9290