Bugs Are Shallow: Finding Vulnerabilities in Top GitHub Projects
12-09, 16:40–17:25 (Europe/London), Clappy Monkey Track

Linus's law posits that "given enough eyeballs, all bugs are shallow". I wanted to put this to the test and efficiently find security bugs in top GitHub projects. In this talk I run through various ways of running queries over a large corpus of open source repos. We'll look at the pros and cons of using the new GitHub CodeSearch, BigQuery, grep.app, and simply ripgrepping all the cloned code on your local machine. I show how this led to a finding in the #1 most starred GitHub repo, freeCodeCamp, allowing me to gain every coding certification in a single request. The conclusion investigates how open source maintainers can benefit from this work.

Laurence is an application security consultant with a broad range of interests. He is the co-founder of CryptoHack, a popular cryptography challenge platform. He got addicted to CTFs at university and has been learning as much as he can about web, cryptography, network, and infrastructure security since then. In his spare time he loves going on cycling and hiking trips.