OWASP 2022 Global AppSec San Francisco has ended
Global AppSec San Francisco returns November 14-18.

Designed for private and public sector infosec professionals, the two-day OWASP conferences equip developers, defenders, and advocates to build a more secure web. We are offering educational 1-day, 2-day, and 3-day training courses on November 14-16.

Join us for leading application security technologies, speakers, prospects, and the community, in a unique event that will build on everything you already know to expect from an OWASP Global Conference.
Back To Schedule
Thursday, November 17 • 10:30am - 11:30am
Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!

The scale of GitHub & tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.

When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.

avatar for Jonathan Leitschuh

Jonathan Leitschuh

Software Engineer and Software Security Researcher, HUMAN
Jonathan Leitschuh is a Software Engineer and Software Security Researcher. He is the first ever Dan Kaminsky Fellow. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He is amongst the top OSS researchers on GitHub by advisory credit. He’s... Read More →
avatar for Patrick Way

Patrick Way

Senior Software Engineer, Moderne, Inc.
Patrick Way is a Senior Software Engineer on the OpenRewrite team at Moderne. He has been in software engineering for over 20 years. His software spans domains including agriculture, e-commerce, and healthcare. Between 2001 and 2011, he owned and operated a small consulting business... Read More →

Thursday November 17, 2022 10:30am - 11:30am PST
Seacliff CD