Source code

Useful tricks to debug an app inside docker

Without question, the best way to analyse an open source target is by debugging. However, it doesn’t come without a cost. I have shivers when I’m thinking about installing a proper ruby version with all its gems. In fact, when writing this, I already have an OpenSSL...

Finding Vulnerabilities with MRVA CodeQL

Some time ago, CodeQL got an addition of MRVA which allows to run CodeQL queries on multiple repositories. I’ve been procrastinating running some queries for a long time but the author of this article - Maiky didn’t procrastinate and described the process of finding...

Source code review – catching low-hanging fruit

Manual source code review is tedious and often takes a long time. Albeit tools will never replace a human, utilising tools is simply a smart thing to do. Sometimes, you will be lucky and you will get a bug straight away. I’ve been lucky with it recently. Most of the...

Secure Code Game

GitHub Security Lab has created a secure code game that allows developers to learn how to secure intentionally vulnerable code. It's definitely worth trying out, especially for those who have been asking me how to get started with code review!...

How to avoid being overwhelmed when reviewing the code?

The beginning of a new project can be very overwhelming - you don’t know what your target does, what technologies they use and you have no idea what bugs you should expect. The source code, although generally helps, can sometimes be even more confusing. Especially if,...

CodeQL learning path

CodeQL is a code scanner that sits somewhere between static analysis - where a scanner just analyses the code as a text - and dynamic analysis - where the scanner actually executes the application and sends payloads. CodeQL understands the code and the flow of the...