Hiding in Plain Sight - The Untold Story of Hidden Vulnerabilities

Presented at BSidesLV 2023, Aug. 8, 2023, 6 p.m. (45 minutes)

In today's software development landscape, vulnerability scanners and SCA tools play a vital role in identifying potentially vulnerable software components and mitigating associated risks. However, their effectiveness remains questionable due to differences in implementation, coverage, and performance, as well as inherent blindspots that make them oblivious to critical vulnerabilities in real-world scenarios. In this talk, we will present the results of a groundbreaking benchmark and root cause analysis research that evaluated leading commercial and open-source vulnerability scanners and SCA tools. We will showcase the main causes of scanner misidentifications, including blindspots created by common build and deployment practices, and thousands of hidden vulnerabilities we identified in real-world applications, many of which are known to be exploited in the wild. Our findings expose a significant gap in the effectiveness of these tools and raise awareness about the need for objective evaluation criteria. Attendees will leave with a better understanding of the limitations of vulnerability scanners and SCA tools, as well as the importance of adopting more holistic approaches to software security.

Presenters:

• Ofri Ouzan
  Ofri Ouzan is an experienced Security Researcher who has been working in the cybersecurity field for over four years. She specializes in conducting security research on various software platforms, including Linux, Windows, and other software, with a particular focus on vulnerability validation, remediation, mitigation, and exploitation. In addition to her research expertise, Ofri is also developing automation tools in Python and Bash. One of Ofri's notable achievements includes the development of the MI-X open-source tool, which she presented at the Black Hat Arsenal stage during both the Black Hat USA 2022 and Black Europe USA 2022 events
• Yotam Perkal
  Yotam leads the vulnerability research team at Rezilion, focusing on research around vulnerability validation, mitigation, and remediation. He is passionate about Cyber Security and Machine Learning and is especially intrigued by the intersection between the domains, whether it be using ML in order to help solve Cyber Security challenges or exploring the challenges in securing ML applications. Prior to Rezilion, Yotam filled several roles at PayPal Security organization, dealing with vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam is also a member of the PyCon Israel organization committee and takes part in several OpenSSF working groups around open-source security as well as several CISA workstreams around SBOM and VEX.

Links:

• https://www.bsideslv.org/talks#WRT3QS

Similar Presentations:

• Kernelcon 2022 / Knowing What Risks Matter -- And Don't -- In Your Open Source
• BSidesLV 2023 / How to have perfect vulnerability reports and still get hacked
• 30C3 (2013) / Extracting keys from FPGAs, OTP Tokens and Door Locks: Side-Channel (and other) Attacks in Practice