#02

Tango

May 29, 2024 · FinTrU · Porto · Sponsored by FinTrU · Meetup.com ↗

Agenda

18:00 Intro and Welcome by the OWASP Porto chapter leadership
18:15 From Theory to Practice: Navigating the Challenges of Vulnerability Research — Raphael Silva
19:00 Harnessing Reachability Analysis to Discern Real Threats in Software Dependencies — Joseph Hejderup
20:00 Drinks & Dinner by FinTrU

Talks

From Theory to Practice: Navigating the Challenges of Vulnerability Research

Raphael Silva LinkedIn ↗

Transitioning from theoretical knowledge to the practical aspect in web security often presents extra challenges. Real-world scenarios introduce complexities such as bad character filters and Web Application Firewalls (WAFs), demanding the researcher to investigate ways to bypass these restrictions. Key learnings include: drawing from collaborative efforts and senior industry research; embracing failure as a learning experience; and understanding how ethical security research faces legal hurdles in countries like Portugal, hindering progress and discouraging potential researchers. Navigating this bridge from theory to practice requires technical prowess and resilience.

Speaker Bio
Raphael Silva is an AppSec Analyst at Checkmarx. He has participated in public speaking activities, including a Code Review workshop at AppSec Village at DEFCON30 and talks about AI and AppSec at his former university. He has found multiple vulnerabilities in open-source products over the years and is eWPTXv2 certified and OSCP enrolled.

Harnessing Reachability Analysis to Discern Real Threats in Software Dependencies

Joseph Hejderup LinkedIn ↗

This talk dives into the shortcomings of traditional dependency analysis methods, which usually focus on building manifests and metadata, to spot security or performance vulnerabilities in Java projects. While tools like Maven Dependency Checker are invaluable, they often fall short when precise answers are needed, forcing developers to lean on time-consuming manual code reviews. A thorough look at how dependencies are actually used in the code — with the help of static and reachability analyses — can be a more effective way to pinpoint real threats in Java dependencies. The talk provides practical strategies for using static and reachability analyses, promoting a more detailed method for managing dependencies and finding vulnerabilities.

Speaker Bio
Joseph Hejderup is a Researcher and Software Engineer at Endor Labs and a PhD student at Delft University of Technology. He applies program analysis techniques to understand how we use third-party components and what risks they entail from a security and maintenance perspective.

Photos

OWASP Porto #02 Tango OWASP Porto #02 Tango OWASP Porto #02 Tango OWASP Porto #02 Tango OWASP Porto #02 Tango OWASP Porto #02 Tango