Topic: “Vulnerability Reachability Analysis Using OSS Tools.” This 90-minute live, hands-on workshop will be Thursday, March 28, 5:30pm at WeWork Office Space & Coworking, 12130 Millennium Dr #300, Los Angeles
Instructor: Deepfactor CTO & Founder, Mike Larkin. Mike is also a contributor to OpenBSD, working on hypervisors, low-level platform code, and security. Mike is also an adjunct faculty member at San Jose State University, where he teaches application security technologies and virtualization.
Deepfactor is pleased to be sponsoring this gathering. You can register here.
Abstract
New vulnerabilities are disclosed every day in dependencies that you or your team may be using. But how do you know if you are actually using the vulnerable code? This workshop will show you how to use two different types of tools to analyze reachability (1) static call graphs and (2) runtime analysis, and help in deciding if the vulnerability needs to be prioritized based on your own code usage.
Workshop Overview
The workshop will be broken into several modules; introductory modules will cover the workshop organization and administrative matters (installing and configuring the tools used in the workshop). Subsequent modules will give an outline of what vulnerability reachability is and why it is important and compare/contrast the two main ways of understanding reachability (static call graphs and runtime analysis).
Next, the workshop will present two short exercises, intended for the attendees to gain hands-on experience using both types of tools against real applications with real vulnerabilities. Interpreted languages (Java) and compiled languages (C/C++/Go) will be covered. Subsequently, the following module will walk through how to interpret the results obtained from the exercises and draw conclusions. The languages chosen are merely representative; the skills learned in the workshop are equally applicable to other languages.
The workshop will conclude with two modules which will present a short overview of commercial tools and a conclusion/wrap-up/Q&A session.