Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many security conferences including DEF CON, RSA, AppSecEU, Protect, DISCCON, etc and holds several InfoSec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.
How Variant Analysis helped secure the fight against COVID-19
In security, ‘variant analysis’ is the process of searching for variants of known vulnerabilities. This used to be done with grep and painstaking manual code audits, but it can be automated with a powerful semantic query language like CodeQL. I will show how we performed a variant analysis using CodeQL which started analyzing a vulnerability in Nexus Repository Manager and ended up finding many other critical vulnerabilities including a Remote Code Execution (RCE) in Germany’s Corona-Warn-App (German’s Contact tracing app). Finally, I’ll explain the factors that must come together to drive the adoption, scalability, and success of such technology.