My name is Jonathan Leitschuh and I'm an Open Source Software Security Researcher. I'm also a GitHub Star, GitHub Security Ambassador, & the first ever Dan Kaminsky Fellow @ HUMAN Security. I'm also a speaker at confrences like ShmooCon, BSidses CT, BSides LV, Black Hat, & DEFCON. I'm fortunate to have been featured by GitHub's README project!
If you'd like to get in touch, the best way is to DM Me on Twitter @JLLeitschuh.
Public Vulnerability Research
Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!
The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.
This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.
- BSides LV - August 2022 - BG - Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
- Black Hat - August 2022 - Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
- DEF CON - August 2022 - DEF CON 30 - Jonathan Leitschuh - Scaling the Security Researcher to Eliminate OSS Vulnerabilities
- SEC-T Stockholm - September 2022 - SEC-T 0x0E: Jonathan Leitschuh - Scaling the Security Researcher to Eliminate OSS Vulnerabilities
⭐No Hat - Bergamo Italy - October 2022 - No Hat 2022 - Jonathan Leitschuh - Scaling the Security Researcher to Eliminate OSS Vulnerabilities ⭐
- Code Blue, Tokyo Japan - October 2022
- GitHub Universe - November 2022 - Scaling the security researcher to eliminate OSS vulnerabilities once and for all - Universe 2022
Zoom 0-Day: How not to handle a Security Vulnerability Report
Come hear the hilarious story of Zoom’s biggest security scandal, a bombshell 0-Day vulnerability, from the one who dropped it.
On July 8th, 2019, a 0-Day vulnerability was dropped on Zoom that disclosed how anyone could join a victim’s Mac to a video call simply by visiting a malicious website. As if that wasn’t enough, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. The icing on the cake? A full blown RCE vulnerability.
From Zoom’s original claims that it was “not a vulnerability”, what happened behind the scenes, to their eventual fix, join to hear what we as security professionals can learn from this debacle. The press might have covered the disclosure, but the post-disclosure story is even more astonishing than anyone would ever expect.
- BSides CT - November 2019 - Zoom 0-Day: How not to handle a vuln report - Jonathan Leitschuh - BSides CT 2019
- ShmooCon - February 2020 - Zoom 0-Day: How Not to Handle a Vulnerability Report - Jonathan Leitschuh (Shmoocon 2020)