Oops I ran it again, unearthing vulnerabilities in trusted tools

Presented at Kernelcon 2023, April 15, 2023, 1:30 p.m. (60 minutes)

We rely on a variety of security tools to do our jobs, but is it safe to run these tools on code or applications we do not trust or is it “Toxic” (In the Zone, 2003)? Over the last few years we have uncovered a variety of exploits in popular security tools including Code QL, Burp, Zap, and even humble SCA / SBOM tools like OWASP Dependency Check. Dealing with unsafe and untrusted code is not easy, you got to "Work B****" (Britney Jean, 2013). We hope to make you “Stronger” (Oops!... I Did It Again, 2000) by taking a closer look at how these tools work, and provide steps to minimize the risk posed by these exploits.

Presenters:

• Michael Kunz
  Mike is a UNO alumni, former speaker at Kernelcon, former winner of the Kernelcon CTF, and holds an Eternal Kernel badge.
• Matt Austin
  Matt is a husband, a dad, and a hacker with 13 years in security research and moonlighting BugBounty. Also fan of the video game Stray.

Similar Presentations:

• DeepSec 2019 „Internet of Facts and Fears“ / S.C.A.R.E. - Static Code Analysis Recognition Evasion
• AppSec USA 2015 / Security as Code: A New Frontier
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud