Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Patching common vulnerabilities at scale: project promises bulk pull requests

Researchers are trialing methods to scale up the ability to roll out security fixes for vulnerable components across the open source ecosphere.

Tools such as CodeQL (GitHub’s code query language) enable scans for vulnerabilities across hundreds of thousands of open source software projects.

These utilities can be used to systematically identify basic security flaws – common bugs with relatively simple fixes – in projects hosted on GitHub and similar platforms.

Such low-lying bugs are legion and straightforward to find and fix, so the real difficulty for those seeking to bolster security comes from the difficulties involved in triaging, reporting, and fixing.

Rather than automating the creation of bug reports, which might easily put an extra burden on the maintainers of an open source project, security researcher Jonathan Leitschuh is helping to define and test a methodology to partially automate pull requests at scale.

During a recent series of talks first delivered at BSides Las Vegas and then during DEF CON last month, Leitschuh outlined a methodology for automating bulk pull request generation. The talk was entitled ‘Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All’.

The HUMAN factor

Leitschuh, the inaugural Dan Kaminsky Fellow at HUMAN Security, has carried out a research project that involved creating tools and techniques to industrialize the development of security fixes for open source software.

If widely used, the approach would mean that if a component used by multiple projects is found to be vulnerable, then protect maintainers would be promptly offered a pull request that patches the problem.

Leitschuh and his colleagues started off using Python scripts to make a number of pull requests to open source projects found vulnerable to the so-called ‘Zip Slip’ vulnerability.

More recently they have refined this methodology to make use of OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne).

In total, Leitschuh has used the technique described in his talk to create 590 automated pull requests targeting Zip Slip (a vulnerability in the JVM ecosystem) and two other vulnerabilities (partial path traversal and temporary directory hijacking). These bring his career total of pull requests to 5,200.

Leitschuh told The Daily Swig that feedback from project maintainers about receiving automated pull requests had been mixed.

“The feedback I’ve gotten has been mixed. Lots of appreciative maintainers, and a few maintainers [were] upset,” the researcher explained.

“The Jenkins team has outright asked me not to issue [pull requests] against their organization.”

‘Inspiring’ follow-up research
The automated pull request approach omits unit tests that software developers like to see to verify that suggested amendments to their code base avoid breaking any functionality. In addition, the automated approach means that disclosures are made openly – an issue for eligibility under some, but not all, bug bounty programs.

Advertisement. Scroll to continue reading.

Despite these potential drawbacks, feedback from security researchers about the automated pull request approach has largely been positive, according to Leitschuh.

The researcher concluded: “Responses from other security researchers [have been] generally quite positive. The value proposition is very easy to see when the idea is presented. I’ve inspired a few people to take on this research themselves for their own work, too.”

Source: https://portswigger.net/daily-swig/patching-common-vulnerabilities-at-scale-project-promises-bulk-pull-requests

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO