8 March, 2021

Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many security conferences including DEF CON, RSA, AppSecEU, Protect, DISCCON and many others. In december 2020 he was part of the Java2Days and CodeMonsters conferences.

You are a Staff Security Researcher at GitHub Security Lab. Can you describe more about your job and the challenges?

Yes, of course. The Github Security Lab was created 1 year ago, I think more or less exactly one year ago as part of an initiative by Github to help secure open Source software.

We are a team of around 10 people who mostly look for vulnerabilities in high profile open source projects by using different techniques.

For example, I use more static analyses, and other people in my team use other techniques. Also, we want to help developers understand security.

So part of our mission is not just to find bugs and report them which is an important part of our mission but also to promote and write blog posts and content around how to build secure software and how to help identify vulnerabilities in our projects.

So it is mainly about securing Open Source Projects from GitHub which is the platform where more than 80% of the open-source software is hosted.

What brought you to the Java2Days and CodeMonsters conference and what do you think about the event?

So this is actually my second time presenting here, the first time was I think two or three years ago. I was in a different company, Fortify, which was a different static analyses vendor. I was invited to present some research that I did that was presented at one of the most important security conferences, which are DevCon and Black Hat. I was invited to present the same content here at Java2Days and CodeMonsters. I really enjoyed my experience, so I am keeping in contact with the organisers and I told them that if they need or want me to present anything and help them with the organisation or presentations I am there to help them. So they reached out to me to see if I am interested to present this year again in this virtual edition of Java2Days and I was like: “Sure!”. I am missing all the activities that are organised for the speakers and the actual travel, but it’s always good to help.

And also when I was presenting a few years ago, there were maybe a hundred people at the talk. Now during this virtual edition I am seeing that there were talks with 300-1300 viewers. So this is also a great opportunity to expand our message. During the physical conferences we don’t have that rich audience, and now I am impressed by their number.

Exactly, you can join literally from everywhere! So, you are doing a lecture “How variant analysis helped secure the fight against COVID-19, which is a really interesting topic. First of all, can you describe the definition of variant analyses?

Variant analysis is the process of using a known vulnerability to find similar problems in your code. SO you find a bug or some security vulnerabilities which is normally a manual process that takes hours, days or even weeks of the security researcher looking through the source code in order to understand it and find a vulnerability or a pattern. Then once you find a vulnerability, these bugs don’t normally occur in isolation. So it’s really rare to find a bug that is only specific to your codebase. So the idea with variant analysis is to be able to model that knowledge that you got through finding that vulnerability and be able to express that in a query so you can reproduce that same process of finding the vulnerability but automate that in a way that you can do it in hundreds or thousands of projects at the same time. So yes, you find the vulnerability and then you want to find all the instances of the same vulnerability. So often as a vendor or as an open source product maintainer you receive reports about security vulnerabilities in your software and then you fix them but maybe there are similar instances of the same vulnerability that are still in the source code. Because the security researcher only reported one you may leave the application open to similar ones that were not found by this security researcher. So the idea with variant analysis is to take that knowledge from the security researcher, dump it in some kind of query and then run that query in your source code to find all the instances of that vulnerability. I was reviewing some vulnerability that I found in Nexus, that is the repository manager from Sonatype and then by performing a root cause analysis I understood what was the issue with that vulnerability. Then I was able to code that pattern into our query with code QL which is our query language that I will introduce in the lecture. I was able to run that query on multiple Open source projects in GitHub and I found many of them to be vulnerable so we were responsible for disclosing all these vulnerabilities to the open source maintainers. One of them was in the Corona-warn app which is the contact tracing application that they use in Germany for tracing the Corona virus and how you may get exposed to other people that tested positive. The same vulnerability that was affecting Nexus two years ago, once we were able to encapsulate and encode some knowledge to our query just by running that in multiple applications we were able to detect that these applications that were developed in May or April were also vulnerable to the same pattern. We were able to get root access to these servers that were hosting the infrastructure of the COVID-19 efforts by Germany.