The Open Source Fortress
Regardless of where it is hosted, a codebase could end up in the hands of malicious actors. Aside from the open source scenario, attackers may utilize sophisticated techniques to access and download it. An example is Okta's 2022 breach, in which the source code of the identity and access management platform was obtained from GitHub.
Developers are advised to adopt a shift-left approach, uncovering as many code flaws as possible before releasing it to the public.
"The Open Source Fortress" will provide a framework for detecting vulnerabilities in codebases with open source tools. The examples imply the discovery of vulnerabilities in a custom, purposefully vulnerable codebase written in C and Python. Static techniques such as symbolic execution, secret scanning, code querying, and dependency scanning will be discussed, as will dynamic techniques such as fuzzing.