#70

A Recipe for Scaling Security from Google

I am passionate about finding bugs and, since you are reading this, you probably are, too. However, the truth is that on the scale of a huge company, fixing one bug is only one of a thousand steps that you would have to take to be secure. To take bigger steps than one...

cvemap from ProjectDiscovery

How many CVEs do you think were issued last year? 100? 1,000? 10,000? No, 24,804. Or 68 per day. It means “a” CVE doesn’t mean much. We need to find “the” CVE. The cvemap from Project Discovery is there to help us. It indexes CVEs along with attributes like the...

Forging signed commits on GitHub

I find reports like this one very satisfying. In short, in GitHub’s commit signing flow, there were two different components and one of them extracted the email of the author regardless of whether there was a username while the regex in another component only accepted...

Useful tricks to debug an app inside docker

Without question, the best way to analyse an open source target is by debugging. However, it doesn’t come without a cost. I have shivers when I’m thinking about installing a proper ruby version with all its gems. In fact, when writing this, I already have an OpenSSL...