Podcasts about Static analysis

  • 84PODCASTS
  • 117EPISODES
  • 43mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Mar 20, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about Static analysis

Latest podcast episodes about Static analysis

PodRocket - A web development podcast from LogRocket
Moving to ESM from CJS with Anthony Fu

PodRocket - A web development podcast from LogRocket

Play Episode Listen Later Mar 20, 2025 25:10


Anthony Fu, Framework Developer at Nuxt Labs, discusses the shift to ESM-only formats in JavaScript development. He covers the controversy surrounding ESM, the advantages of moving from CJS to ESM, and what this transition means for the future of web development. Tune in to learn why now is the ideal time for this change, and how it benefits developers! Links https://antfu.me https://bsky.app/profile/antfu.me https://github.com/antfu https://x.com/antfu7 https://www.linkedin.com/in/antfu https://antfu.me/posts/move-on-to-esm-only We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com (mailto:emily.kochanekketner@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understand where your users are struggling by trying it for free at [LogRocket.com]. Try LogRocket for free today.(https://logrocket.com/signup/?pdr) Special Guest: Anthony Fu.

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
SANS Stormcast Monday Mar 17th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later Mar 18, 2025 7:03


Static Analysis of GUID Encoded Shellcode Didier explains how to decode shell code embeded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobal Strike configuration information from the code. https://isc.sans.edu/diary/Static%20Analysis%20of%20GUID%20Encoded%20Shellcode/31774 SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities. https://workos.com/blog/samlstorm One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild A just made public deserialization vulnerablity in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserializtion vulnerabilities. https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/ CVE-2025-24813 CSS Abuse for Evasion and Tracking Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/

Software Engineering Radio - The Podcast for Professional Software Developers
SE Radio 650: Robert Seacord on What's New in the C Programming Language

Software Engineering Radio - The Podcast for Professional Software Developers

Play Episode Listen Later Jan 8, 2025 50:00


Robert Seacord, the Standardization Lead at Woven by Toyota, the convenor of the C standards committee, and author of The CERT® C Coding Standard, Effective C, and Secure Coding in C and C++, speaks with SE Radio host Gavin Henry about What's New in the C Programming Language. They start with a review of the history of C and why it has a standard, and then they discuss what C23 brings and how programmers can take advantage of it. They consider the sectors in which C is most used and whether you should use C to start a brand new project in 2025. Seacord discusses 8 new things that C23 brings, use case examples, must haves, floating point numbers, how automotive systems use C, why C is used there, Rust vs C, compile time checks vs static analysis, all the various safety standards they can use, why you should use the right tool for the job and never trust user input no matter the language.  Brought to you by IEEE Computer Society and IEEE Software magazine.

Open Source Security Podcast
Episode 455 - Wordpress plugin security

Open Source Security Podcast

Play Episode Listen Later Nov 18, 2024 35:38


Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. Show Notes Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch Kurt's Plugin

Boston Computation Club
11/17/24: When Static Analysis Meets Large Language Models with Chengpeng Wang

Boston Computation Club

Play Episode Listen Later Nov 18, 2024 57:23


Chengpeng Wangworking with Prof. Xiangyu Zhang. His research focuses on program analysis, especially software analysis, and in particular how existing analysis techniques intersect with emerging approaches from AI such as Large Language Models. Today Chengpeng joined us to talk about his recent NeurIPS paper proposing a novel static analysis technique based on LLMs. The technique is very interesting and highly informed by prior works in the static analysis space, but leverages LLMs as a kind of "oracle" to solve problems which, when handled statically, quickly become untenable. This was a really interesting talk and we're very greatful that Chengpeng took time out of his Sunday afternoon to talk to us!

Day[0] - Zero Days for Day Zero
Static Analysis, LLMs, and In-The-Wild Exploit Chains

Day[0] - Zero Days for Day Zero

Play Episode Listen Later Nov 11, 2024 82:02


Methodology is the theme of this week's episode. We cover posts about static analysis via CodeQL, as well as a novel blackbox binary querying language called QueryX. Project Zero also leverages Large Language Models to successfully find a SQLite vulnerability. Finally, we wrap up with some discussion on Hexacon and WOOT talks, with a focus on Clem1's In-The-Wild exploit chains insights via Google's Threat Analysis Group. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/262.html [00:00:00] Introduction [00:00:35] Discovering Hidden Vulnerabilities in Portainer with CodeQL [00:18:12] Finding Vulnerabilities in Firmware with Static Analysis Platform QueryX [00:28:25] From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code [00:50:00] Hexacon2024 - Caught in the Wild, Past, Present and Future by Clem1 [01:06:34] Hexacon 2024 Videos [01:11:34] WOOT 2024 Videos [01:18:38] Securing the open source supply chain: The essential role of CVEs [01:20:19] A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Absolute AppSec
Episode 265 - w/ Scott Norberg - Static Analysis

Absolute AppSec

Play Episode Listen Later Oct 31, 2024


Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. He has been a web security specialist for nearly two decades, and holds several certifications, including Microsoft Certified Technology Specialist (MCTS), certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) and CCSP certification. He also has an MBA from Indiana University. To find out more about Scott check out his website https://scottnorberg.com/ as well as his 2020 book Advanced ASP NET Core Security Vulnerabilities.

No Compromises
A balanced approach to static analysis in Laravel apps

No Compromises

Play Episode Listen Later Oct 15, 2024 11:59 Transcription Available


Static types and tooling have increased the quality of our apps, but sometimes certain features in your Laravel app don't play nicely with static analysis. In today's episode, we talk about how we approach the tradeoffs around making a tool happy without changing how you write code.(00:00) - Our approach to static analysis in a Laravel app (01:30) - Using PHPDoc inline (03:00) - When Laravel doesn't quite give you the type you want (05:00) - A different approach than inline types (06:30) - Are you just making the tool happy? (07:45) - An example of going too far (10:10) - Silly bit Check out the newly published volumes of Laravel tips. Collect them all!

go podcast()
Toying with static analysis of HTML templates

go podcast()

Play Episode Listen Later Sep 30, 2024 36:23 Transcription Available


After last episode with Templ maintainers I was really pumped to try Templ and see if it would work for me. Without spoiling too much I believe it would have been easier to start from scratch with Templ vs. trying to migrate an existing project.This led me to try and see if I could add static analysis of my templates in my library tpl. I don't really have a PoC yet, but kind of getting close to it. If everything continue I should be able to capture errors in using of wrong field in template, like typos in field name that are caught at runtime at this moment.Links: https://github.com/dstpierre/tplAlso if you want to support this show, this is a 50% discount on my courses: Build SaaS apps in Go and Build a Google Analytics in Go.

Les Cast Codeurs Podcast
LCC 315 - les températures ne sont pas déterministes

Les Cast Codeurs Podcast

Play Episode Listen Later Sep 17, 2024 110:08


JVM summit, virtual threads, stacks applicatives, licences, déterminisme et LLMs, quantification, deux outils de l'épisode et bien plus encore. Enregistré le 13 septembre 2024 Téléchargement de l'épisode LesCastCodeurs-Episode–315.mp3 News Langages Netflix utilise énormément Java et a rencontré un problème avec les Virtual Thread dans Java 21. Les ingénieurs de Netflix analysent ce problème dans cet article : https://netflixtechblog.com/java–21-virtual-threads-dude-wheres-my-lock–3052540e231d Les threads virtuels peuvent améliorer les performances mais posent des défis. Un problème de locking a été identifié : les threads virtuels se bloquent mutuellement. Cela entraîne des performances dégradées et des instabilités. Netflix travaille à résoudre ces problèmes et à tirer pleinement parti des threads virtuels. Une syntax pour indiquer qu'un type est nullable ou null-restricted arriverait dans Java https://bugs.openjdk.org/browse/JDK–8303099 Foo! interdirait null Foo? indiquerait que null est accepté Foo?[]! serait un tableau non-null de valeur nullable Il y a aussi des idées de syntaxe pour initialiser les tableaux null-restricted JEP: https://openjdk.org/jeps/8303099 Les vidéos du JVM Language Summit 2024 sont en ligne https://www.youtube.com/watch?v=OOPSU4LnKg0&list=PLX8CzqL3ArzUEYnTa6KYORRbP3nhsK0L1 Project Leyden Update Project Babylon - Code Reflection Valhalla - Where Are We? An Opinionated Overview on Static Analysis for Java Rethinking Java String Concatenation Code Reflection in Action - Translating Java to SPIR-V Java in 2024 Type Specialization of Java Generics - What If Casts Have Teeth ? (avec notre Rémi Forax national !) aussi tip or tail pour tout l'ecosysteme quelques liens sur Babylon: Code reflection pour exprimer des langages etranger (SQL) dans Java: https://openjdk.org/projects/babylon/ et sont example en emulation de LINQ https://openjdk.org/projects/babylon/articles/linq Librairies Micronaut sort sa version 4.6 https://micronaut.io/2024/08/26/micronaut-framework–4–6–0-released/ essentiellement une grosse mise à jour de tonnes de modules avec les dernières versions des dépendances Microprofile 7 faire quelques changements et evolution incompatibles https://microprofile.io/2024/08/22/microprofile–7–0-release/#general enleve Metrics et remplace avec Telemetry (metrics, log et tracing) Metrics reste une spec mais standalone Microprofile 7 depende de Jakarta Core profile et ne le package plus Microprofile OpenAPI 4 et Telemetry 2 amenent des changements incompatibles Quarkus 3.14 avec LetsEncrypt et des serialiseurs JAckson sans reflection https://quarkus.io/blog/quarkus–3–14–1-released/ Hibernate ORM 6.6 Serialisateurs JAckson sans reflection installer des certificats letsencrypt simplement (notamment avec la ligne de commande qui aide sympa notamment avec ngrok pour faire un tunnel vers son localhost retropedalage sur @QuarkusTestResource vs @WithTestResource suite aux retour de OOME et lenteur des tests mieux isolés Les logs structurées dans Spring Boot 3.4 https://spring.io/blog/2024/08/23/structured-logging-in-spring-boot–3–4 Les logs structurées (souvent en JSON) vous permettent de les envoyer facilement vers des backends comme Elastic, AWS CloudWatch… Vous pouvez les lier à du reporting et de l'alerting. Spring Boot 3.4 prend en charge la journalisation structurée par défaut. Il prend en charge les formats Elastic Common Schema (ECS) et Logstash, mais il est également possible de l'étendre avec vos propres formats. Vous pouvez également activer la journalisation structurée dans un fichier. Cela peut être utilisé, par exemple, pour imprimer des journaux lisibles par l'homme sur la console et écrire des journaux structurés dans un fichier pour l'ingestion par machine. Infrastructure CockroachDB qui avait une approche Business Software License (source available puis ALS 3 ans apres), passe maintenant en license proprietaire avec source available https://www.cockroachlabs.com/blog/enterprise-license-announcement/ Polyform project offre des licences standardisees selon les besoins de gratuit vs payant https://polyformproject.org/ Cloud Azure fonctions, comment le demarrage a froid est optimisé https://www.infoq.com/articles/azure-functions-cold-starts/?utm_campaign=infoq_content&utm_source=twitter&utm_medium=feed&utm_term=Cloud fonctions ont une latence naturelle forte toutes les lantences longues ne sont aps impactantes pour le business les demarrages a froid peuvent etre mesures avec les outils du cloud provider donc faites en usage faites des decentilers de latences experience 381 ms cold et 10ms apres tracing pour end to end latence les strategies keep alive pings: reveiller la fonctione a intervalles reguliers pour rester “warm” dans le code de la fonction: initialiser les connections et le chargement des assemblies dans l'initialization configurer dans host.json le batching, desactiver file system logging etc deployer les fonctions as zips reduire al taille du code et des fichiers (qui sont copies sur le serveur froid) sur .net activer ready to run qui aide le JIT compiler instances azure avec plus de CPU et memoire sont plus cher amis baissent le cold start dedicated azure instances pour vos fonctions (pas aprtage avec les autres tenants) ensuite montre des exemples concrets Web Sortie de Vue.js 3.5 https://blog.vuejs.org/posts/vue–3–5 Vue.JS 3.5: Nouveautés clés Optimisations de performance et de mémoire: Réduction significative de la consommation de mémoire (–56%). Amélioration des performances pour les tableaux réactifs de grande taille. Résolution des problèmes de valeurs calculées obsolètes et de fuites de mémoire. Nouvelles fonctionnalités: Reactive Props Destructure: Simplification de la déclaration des props avec des valeurs par défaut. Lazy Hydration: Contrôle de l'hydratation des composants asynchrones. useId(): Génération d'ID uniques stables pour les applications SSR. data-allow-mismatch: Suppression des avertissements de désynchronisation d'hydratation. Améliorations des éléments personnalisés: Prise en charge de configurations d'application, d'API pour accéder à l'hôte et au shadow root, de montage sans Shadow DOM, et de nonce pour les balises. useTemplateRef(): Obtention de références de modèle via l'API useTemplateRef(). Teleport différé: Téléportation de contenu vers des éléments rendus après le montage du composant. onWatcherCleanup(): Enregistrement de callbacks de nettoyage dans les watchers. Data et Intelligence Artificielle On entend souvent parler de Large Language Model quantisés, c'est à dire qu'on utilise par exemple des entiers sur 8 bits plutôt que des floatants sur 32 bits, pour réduire les besoins mémoire des GPU tout en gardant une précision proche de l'original. Cet article explique très visuellement et intuitivement ce processus de quantisation : https://newsletter.maartengrootendorst.com/p/a-visual-guide-to-quantization Guillaume continue de partager ses aventures avec le framework LangChain4j. Comment effectuer de la classification de texte : https://glaforge.dev/posts/2024/07/11/text-classification-with-gemini-and-langchain4j/ en utilisant la classe TextClassification de LangChain4j, qui utilise une approche basée sur les vector embeddings pour comparer des textes similaires en utilisant du few-shot prompting, sous différentes variantes, dans cet autre article : https://glaforge.dev/posts/2024/07/30/sentiment-analysis-with-few-shots-prompting/ et aussi comment faire du multimodal avec LangChain4j (avec le modèle Gemini) pour analyser des textes, des images, mais également des vidéos, du contenu audio, ou bien des fichiers PDFs : https://glaforge.dev/posts/2024/07/25/analyzing-videos-audios-and-pdfs-with-gemini-in-langchain4j/ Pour faire varier la prédictibilité ou la créativité des LLMs, certains hyperparamètres peuvent être ajustés, comme la température, le top-k et le top-p. Mais est-ce que vous savez vraiment comment fonctionnent ces paramètres ? Deux articles très clairs et intuitifs expliquent leur fonctionnement : https://medium.com/google-cloud/is-a-zero-temperature-deterministic-c4a7faef4d20 https://medium.com/google-cloud/beyond-temperature-tuning-llm-output-with-top-k-and-top-p–24c2de5c3b16 la tempoerature va ecraser la probabilite du prochain token mais il reste des variables: approximnation des calculs flottants, stacks differentes effectuants ces choix differemment, que faire en cas d'egalité de probabilité entre deux tokens mais il y a d'atures apporoches de configuiration des reaction du LLM: top-k (qui evite les tokens peu frequents), top-p pour avoir les n des tokens qui totalient p% des probabilités temperature d'abord puis top-k puis top-p explique quoi utiliser quand OSI propose une definition de l'IA open source https://www.technologyreview.com/2024/08/22/1097224/we-finally-have-a-definition-for-open-source-ai/ gros debats ces derniers mois utilisable pour tous usages sans besoin de permission chercheurs peuvent inspecter les components et etudier comment le system fonctionne systeme modifiable pour tout objectif y compris chager son comportement et paratger avec d'autres avec ou sans modification quelque soit l'usage Definit des niveaux de transparence (donnees d'entranement, code source, poids) Une longue rétrospective de PostgreSQL a des volumes de malades et les problèmes de lock https://ardentperf.com/2024/03/03/postgres-indexes-partitioning-and-lwlocklockmanager-scalability/ un article pour vous rassurer que vous n'aurez probablement jamais le problème histoire sous forme de post mortem des conseils pour éviter ces falaises Outillage Un premier coup d'oeil à la future notation déclarative de Gradle https://blog.gradle.org/declarative-gradle-first-eap un article qui explique à quoi ressemble cette nouvelle syntaxe déclarative de Gradle (en plus de Groovy et Kotlin) Quelques vidéos montrent le support dans Android Studio, pour le moment, ainsi que dans un outil expérimental, en attendant le support dans tous les IDEs L'idée est d'éviter le scripting et d'avoir vraiment qu'une description de son build Cela devrait améliorer la prise en charge de Gradle dans les IDEs et permettre d'avoir de la complétion rapide, etc c'est moi on on a Maven là? Support de Firefox dans Puppeteer https://hacks.mozilla.org/2024/08/puppeteer-support-for-firefox/ Puppeteer, la bibliothèque d'automatisation de navigateur, supporte désormais officiellement Firefox dès la version 23. Cette avancée permet aux développeurs d'écrire des scripts d'automatisation et d'effectuer des tests de bout en bout sur Chrome et Firefox de manière interchangeable. L'intégration de Firefox dans Puppeteer repose sur WebDriver BiDi, un protocole inter-navigateurs en cours de standardisation au W3C. WebDriver BiDi facilite la prise en charge de plusieurs navigateurs et ouvre la voie à une automatisation plus simple et plus efficace. Les principales fonctionnalités de Puppeteer, telles que la capture de journaux, l'émulation de périphériques, l'interception réseau et le préchargement de scripts, sont désormais disponibles pour Firefox. Mozilla considère WebDriver BiDi comme une étape importante vers une meilleure expérience de test inter-navigateurs. La prise en charge expérimentale de CDP (Chrome DevTools Protocol) dans Firefox sera supprimée fin 2024 au profit de WebDriver BiDi. Bien que Firefox soit officiellement pris en charge, certaines API restent non prises en charge et feront l'objet de travaux futurs. Guillaume a créé une annotation @Retry pour JUnit 5, pour retenter l'exécution d'un test qui est “flaky” https://glaforge.dev/posts/2024/09/01/a-retryable-junit–5-extension/ Guillaume n'avait pas trouvé d'extension par défaut dans JUnit 5 pour remplacer les Retry rules de JUnit 4 Mais sur les réseaux sociaux, une discussion intéressante s'ensuit avec des liens sur des extensions qui implémentent cette approche Comme JUnit Pioneer qui propose plein d'extensions utiles https://junit-pioneer.org/docs/retrying-test/ Ou l'extension rerunner https://github.com/artsok/rerunner-jupiter Arnaud a aussi suggéré la configuration de Maven Surefire pour relancer automatiquement les tests qui ont échoué https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html la question philosophique est: est-ce que c'est tolerable les tests qui ecouent de façon intermitente Architecture Un ancien fan de GraphQL en a fini avec la technologie GraphQL et réfléchit aux alternatives https://bessey.dev/blog/2024/05/24/why-im-over-graphql/ Problèmes de GraphQL: Sécurité: Attaques d'autorisation Difficulté de limitation de débit Analyse de requêtes malveillantes Performance: Problème N+1 (récupération de données et autorisation) Impact sur la mémoire lors de l'analyse de requêtes invalides Complexité accrue: Couplage entre logique métier et couche de transport Difficulté de maintenance et de tests Solutions envisagées: Adoption d'API REST conformes à OpenAPI 3.0+ Meilleure documentation et sécurité des types Outils pour générer du code client/serveur typé Deux approches de mise en œuvre d'OpenAPI: “Implementation first” (génération de la spécification à partir du code) “Specification first” (génération du code à partir de la spécification) retour interessant de quelqu'un qui n'utilise pas GraphQL au quotidien. C'était des problemes qui devaient etre corrigés avec la maturité de l'ecosysteme et des outils mais ca a montré ces limites pour cette personne. Prensentation de Grace Hoper en 1980 sur le future des ordinateurs. https://youtu.be/AW7ZHpKuqZg?si=w_o5_DtqllVTYZwt c'est fou la modernité de ce qu'elle décrit Des problèmes qu'on a encore aujourd'hui positive leadership Elle décrit l'avantage de systèmes fait de plusieurs ordinateurs récemment declassifié Leader election avec les conditional writes sur les buckets S3/GCS/Azure https://www.morling.dev/blog/leader-election-with-s3-conditional-writes/ L'élection de leader est le processus de choisir un nœud parmi plusieurs pour effectuer une tâche. Traditionnellement, l'élection de leader se fait avec un service de verrouillage distribué comme ZooKeeper. Amazon S3 a récemment ajouté le support des écritures conditionnelles, ce qui permet l'élection de leader sans service séparé. L'algorithme d'élection de leader fonctionne en faisant concourir les nœuds pour créer un fichier de verrouillage dans S3. Le fichier de verrouillage inclut un numéro d'époque, qui est incrémenté à chaque fois qu'un nouveau leader est élu. Les nœuds peuvent déterminer s'ils sont le leader en listant les fichiers de verrouillage et en vérifiant le numéro d'époque. attention il peut y avoir plusieurs leaders élus (horloges qui ont dérivé) donc c'est à gérer aussi Méthodologies Guillaume Laforge interviewé par Sfeir, où il parle de l'importance de la curiosité, du partage, de l'importance de la qualité du code, et parsemé de quelques photos des Cast Codeurs ! https://www.sfeir.dev/success-story/guillaume-laforge-maestro-de-java-et-esthete-du-code-propre/ Sécurité Comment crowdstrike met a genoux windows et de nombreuses entreprises https://next.ink/144464/crowdstrike-donne-des-details-techniques-sur-son-fiasco/ l'incident vient de la mise à jour de la configuration de Falcon l'EDR de crowdstrike https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/ qu'est ce qu'un EDR? Un système Endpoint Detection and Response a pour but de surveiller votre machine ( access réseaux, logs, …) pour detecter des usages non habituels. Cet espion doit interagir avec les couches basses du système (réseau, sockets, logs systems) et se greffe donc au niveau du noyau du système d'exploitation. Il remonte les informations en live à une plateforme qui peut ensuite adapter les réponse en live si l'incident a duré moins de 1h30 coté crowdstrike plus de 8 millions de machines se sont retrouvées hors service bloquées sur le Blue Screen Of Death selon Microsoft https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/ cela n'est pas la première fois et était déjà arrivé il y a quelques mois sur Linux. Comme il s'agissait d'une incompatibilité de kernel il avait été moins important car les services ITs gèrent mieux ces problèmes sous Linux https://stackdiary.com/crowdstrike-took-down-debian-and-rocky-linux-a-few-months-ago-and-no-one-noticed/ Les benchmarks CIS, un pilier pour la sécurité de nos environnements cloud, et pas que ! (Katia HIMEUR TALHI) https://blog.cockpitio.com/security/cis-benchmarks/ Le CIS est un organisme à but non lucratif qui élabore des normes pour améliorer la cybersécurité. Les référentiels CIS sont un ensemble de recommandations et de bonnes pratiques pour sécuriser les systèmes informatiques. Ils peuvent être utilisés pour renforcer la sécurité, se conformer aux réglementations et normaliser les pratiques. Loi, société et organisation Microsoft signe un accord avec OVHCloud pour qu'il arretent leur plaine d'antitrust https://www.politico.eu/article/microsoft-signs-antitrust-truce-with-ovhcloud/ la plainte était en Europe mermet a des clients de plus facilement deployer les solutions Microsoft dans le fournisseur de cloud de leur choix la plainte avait ete posé à l'été 2021 ca rendait faire tourner les solutions MS plus cheres et non competitives vs MS ElasticSearch et Kibana sont de nouveau Open Source, en ajoutant la license AGPL à ses autres licences existantes https://www.elastic.co/fr/blog/elasticsearch-is-open-source-again le marché d'il y a trois ans et maintenant a changé AWS est une bon partenaire le flou Elasticsearch vs le produit d'AWS s'est clarifié donc retour a l'open source via AGPL Affero GPL Elastic n'a jamais cessé de croire en l'open source d'après Shay Banon son fondateur Le changement vers l'AGPL est une option supplémentaire, pas un remplacement d'une des autres licences existantes et juste apres, Elastic annonce des resultants decevants faisant plonger l'action de 25% https://siliconangle.com/2024/08/29/elastic-shares-plunge–25-lower-revenue-projections-amid-slower-customer-commitments/ https://unrollnow.com/status/1832187019235397785 et https://www.elastic.co/pricing/faq/licensing pour un résumé des licenses chez elastic Outils de l'épisode MailMate un client email Markdown et qui gere beaucoup d'emails https://medium.com/@nicfab/mailmate-a-powerful-client-email-for-macos-markdown-integrated-email-composition-e218fe2accf3 Emmanuel l'utilise sur les boites email secondaires un peu lent a demarrer (synchro) et le reste est rapide boites virtuelles (par requete) SpamSieve Que macOS je crois Trippy, un analyseur de réseau https://github.com/fujiapple852/trippy Il regroupe dans une CLI traceroute et ping Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 17 septembre 2024 : We Love Speed - Nantes (France) 17–18 septembre 2024 : Agile en Seine 2024 - Issy-les-Moulineaux (France) 19–20 septembre 2024 : API Platform Conference - Lille (France) & Online 20–21 septembre 2024 : Toulouse Game Dev - Toulouse (France) 25–26 septembre 2024 : PyData Paris - Paris (France) 26 septembre 2024 : Agile Tour Sophia-Antipolis 2024 - Biot (France) 2–4 octobre 2024 : Devoxx Morocco - Marrakech (Morocco) 3 octobre 2024 : VMUG Montpellier - Montpellier (France) 7–11 octobre 2024 : Devoxx Belgium - Antwerp (Belgium) 8 octobre 2024 : Red Hat Summit: Connect 2024 - Paris (France) 10 octobre 2024 : Cloud Nord - Lille (France) 10–11 octobre 2024 : Volcamp - Clermont-Ferrand (France) 10–11 octobre 2024 : Forum PHP - Marne-la-Vallée (France) 11–12 octobre 2024 : SecSea2k24 - La Ciotat (France) 15–16 octobre 2024 : Malt Tech Days 2024 - Paris (France) 16 octobre 2024 : DotPy - Paris (France) 16–17 octobre 2024 : NoCode Summit 2024 - Paris (France) 17–18 octobre 2024 : DevFest Nantes - Nantes (France) 17–18 octobre 2024 : DotAI - Paris (France) 30–31 octobre 2024 : Agile Tour Nantais 2024 - Nantes (France) 30–31 octobre 2024 : Agile Tour Bordeaux 2024 - Bordeaux (France) 31 octobre 2024–3 novembre 2024 : PyCon.FR - Strasbourg (France) 6 novembre 2024 : Master Dev De France - Paris (France) 7 novembre 2024 : DevFest Toulouse - Toulouse (France) 8 novembre 2024 : BDX I/O - Bordeaux (France) 13–14 novembre 2024 : Agile Tour Rennes 2024 - Rennes (France) 16–17 novembre 2024 : Capitole Du Libre - Toulouse (France) 20–22 novembre 2024 : Agile Grenoble 2024 - Grenoble (France) 21 novembre 2024 : DevFest Strasbourg - Strasbourg (France) 21 novembre 2024 : Codeurs en Seine - Rouen (France) 27–28 novembre 2024 : Cloud Expo Europe - Paris (France) 28 novembre 2024 : Who Run The Tech ? - Rennes (France) 2–3 décembre 2024 : Tech Rocks Summit - Paris (France) 3 décembre 2024 : Generation AI - Paris (France) 3–5 décembre 2024 : APIdays Paris - Paris (France) 4–5 décembre 2024 : DevOpsRex - Paris (France) 4–5 décembre 2024 : Open Source Experience - Paris (France) 5 décembre 2024 : GraphQL Day Europe - Paris (France) 6 décembre 2024 : DevFest Dijon - Dijon (France) 22–25 janvier 2025 : SnowCamp 2025 - Grenoble (France) 30 janvier 2025 : DevOps D-Day #9 - Marseille (France) 6–7 février 2025 : Touraine Tech - Tours (France) 3 avril 2025 : DotJS - Paris (France) 16–18 avril 2025 : Devoxx France - Paris (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via twitter https://twitter.com/lescastcodeurs Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/

Software Engineering Daily
C++ Static Analysis with Abbas Sabra

Software Engineering Daily

Play Episode Listen Later Jul 23, 2024


Static analysis is the examination of code without executing the program. It's used to identify potential errors, code quality issues, security vulnerabilities, and adherence to coding best practices. Abbas Sabra is a Principal Engineer at Sonar, which creates tools to help developers produce clean code. Abbas specializes in C++ static analysis, and began his career The post C++ Static Analysis with Abbas Sabra appeared first on Software Engineering Daily.

Podcast – Software Engineering Daily
C++ Static Analysis with Abbas Sabra

Podcast – Software Engineering Daily

Play Episode Listen Later Jul 23, 2024


Static analysis is the examination of code without executing the program. It’s used to identify potential errors, code quality issues, security vulnerabilities, and adherence to coding best practices. Abbas Sabra is a Principal Engineer at Sonar, which creates tools to help developers produce clean code. Abbas specializes in C++ static analysis, and began his career The post C++ Static Analysis with Abbas Sabra appeared first on Software Engineering Daily.

The Nonlinear Library
LW - Static Analysis As A Lifestyle by adamShimi

The Nonlinear Library

Play Episode Listen Later Jul 4, 2024 5:01


Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Static Analysis As A Lifestyle, published by adamShimi on July 4, 2024 on LessWrong. I've been watching French Top Chef (the best Top Chef, fight me) with my wife again, and I'm always impressed by how often the mentoring chefs, all with multiple michelin stars and years of experience, can just guess that a dish will work or that it will be missing something. By far, whenever a chef points to an error (not a risk, an error), it's then immediately validated experimentally: either the candidate corrected it and the jury comments positively on that aspect of the dish, or they refused to and failed because of that aspect of the dish. Obviously, this incredible skill comes from years of cooking experience. But at its core, this is one of the fundamental idea of epistemology that experts and masters rediscover again and again in their field: static analysis. The core intuition of static analysis is that when you write a computer program, you can check some things without even running it, just by looking at it and analyzing it. What most programmers know best are type systems, which capture what can be done with different values in the program, and forbid incompatible operations (like adding a number and a string of characters together, or more advanced things like using memory that might already be deallocated). But static analysis is far larger than that: it include verifying programs with proof assistants, model checking where you simulate many different possible situations without even running tests, abstract interpretation where you approximate the program so you can check key properties on them… At its core, static analysis focuses on what can be checked rationally, intellectually, logically, without needing to dirty your hands in the real world. Which is precisely what the mentoring chefs are doing! They're leveraging their experience and knowledge to simulate the dish, and figure out if it runs into some known problems: lack of a given texture, preponderance of a taste, lack of complexity (for the advanced gastronomy recipes that Top Chef candidates need to invent)… Another key intuition from static analysis which translates well to the Top Chef example is that it's much easier to check for specific failure modes than to verify correctness. It's easier to check that I'm not adding a number and a string than it is to check that I'm adding the right two number, say the price of the wedding venue and the price of the DJ. It's this aspect of static analysis, looking for the mistakes that you know (from experience or scholarship, which is at its best the distilled experience of others), which is such a key epistemological technique. I opened with the Top Chef example, but almost any field of knowledge, engineering, art, is full of similar cases: In Physics, there is notably dimensional analysis, which checks that two sides of an equation have the same unit, and order of magnitude estimates, which check that a computation is not ridiculously off. In Chemistry, there is the balancing of chemical equations, in terms of atoms and electrons. In Drug Testing, there are specific receptors that you know your compound should absolutely not bind with, or it will completely mess up the patient. In most traditional field of engineering, you have simulations and back of the envelope checks that let's you avoid the most egregious failures. In Animation, the original Disney animators came up with the half-filled flour sack test to check that they hadn't squashed and stretched their characters beyond recognition But there's something even deeper about these checks: they are often incomplete. In technical terms, a static analysis technique is complete if it accepts every correct program (and sound if it rejects all incorrect programs, but that's not the main point here). Of course, there...

The Nonlinear Library: LessWrong
LW - Static Analysis As A Lifestyle by adamShimi

The Nonlinear Library: LessWrong

Play Episode Listen Later Jul 4, 2024 5:01


Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Static Analysis As A Lifestyle, published by adamShimi on July 4, 2024 on LessWrong. I've been watching French Top Chef (the best Top Chef, fight me) with my wife again, and I'm always impressed by how often the mentoring chefs, all with multiple michelin stars and years of experience, can just guess that a dish will work or that it will be missing something. By far, whenever a chef points to an error (not a risk, an error), it's then immediately validated experimentally: either the candidate corrected it and the jury comments positively on that aspect of the dish, or they refused to and failed because of that aspect of the dish. Obviously, this incredible skill comes from years of cooking experience. But at its core, this is one of the fundamental idea of epistemology that experts and masters rediscover again and again in their field: static analysis. The core intuition of static analysis is that when you write a computer program, you can check some things without even running it, just by looking at it and analyzing it. What most programmers know best are type systems, which capture what can be done with different values in the program, and forbid incompatible operations (like adding a number and a string of characters together, or more advanced things like using memory that might already be deallocated). But static analysis is far larger than that: it include verifying programs with proof assistants, model checking where you simulate many different possible situations without even running tests, abstract interpretation where you approximate the program so you can check key properties on them… At its core, static analysis focuses on what can be checked rationally, intellectually, logically, without needing to dirty your hands in the real world. Which is precisely what the mentoring chefs are doing! They're leveraging their experience and knowledge to simulate the dish, and figure out if it runs into some known problems: lack of a given texture, preponderance of a taste, lack of complexity (for the advanced gastronomy recipes that Top Chef candidates need to invent)… Another key intuition from static analysis which translates well to the Top Chef example is that it's much easier to check for specific failure modes than to verify correctness. It's easier to check that I'm not adding a number and a string than it is to check that I'm adding the right two number, say the price of the wedding venue and the price of the DJ. It's this aspect of static analysis, looking for the mistakes that you know (from experience or scholarship, which is at its best the distilled experience of others), which is such a key epistemological technique. I opened with the Top Chef example, but almost any field of knowledge, engineering, art, is full of similar cases: In Physics, there is notably dimensional analysis, which checks that two sides of an equation have the same unit, and order of magnitude estimates, which check that a computation is not ridiculously off. In Chemistry, there is the balancing of chemical equations, in terms of atoms and electrons. In Drug Testing, there are specific receptors that you know your compound should absolutely not bind with, or it will completely mess up the patient. In most traditional field of engineering, you have simulations and back of the envelope checks that let's you avoid the most egregious failures. In Animation, the original Disney animators came up with the half-filled flour sack test to check that they hadn't squashed and stretched their characters beyond recognition But there's something even deeper about these checks: they are often incomplete. In technical terms, a static analysis technique is complete if it accepts every correct program (and sound if it rejects all incorrect programs, but that's not the main point here). Of course, there...

No Compromises
Slowly introducing static analysis without changing everything

No Compromises

Play Episode Listen Later Jun 25, 2024 15:13 Transcription Available


Maybe you've tried to add static analysis to your Laravel app and got scared away by all the errors. In this episode we discuss how we like to introduce PHPStan to large, long-lived projects in a way that doesn't introduce a lot of risk or change.Would you like help introducing Larastan to your project? That's one of many things we can help you with!This episode is sponsored by Mailtrap, an Email Delivery Platform that developers love. Try for Free at MAILTRAP.IO

Software Engineering Institute (SEI) Podcast Series
Automated Repair of Static Analysis Alerts

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later May 31, 2024 27:05


Developers know that static analysis helps make code more secure. However, static analysis tools often produce a large number of false positives, hindering their usefulness. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), David Svoboda, a software security engineer in the SEI's CERT Division, discusses Redemption, a new open source tool from the SEI that automatically repairs common errors in C/C++ code generated from static analysis alerts, making code safer and static analysis less overwhelming.

Maintainable
Andrea Guarino - Leveraging Static Analysis for Better Code

Maintainable

Play Episode Listen Later May 21, 2024 36:18


In this episode, Robby interviews Andrea Guarino, a Software Engineer at Sonar, about the importance of leveraging static analysis tools for maintaining clean and adaptable code. Andrea emphasizes that well-maintained software should be easy to change, consistent, intentional, and responsible. He explains that static analysis tools play a crucial role in identifying potential issues, ensuring code quality, and preventing security leaks. Andrea also highlights the importance of educating developers on these best practices and integrating such tools into the development workflow to uphold a high standard of code quality. He discusses the challenges of maintaining consistency in code, especially when dealing with legacy code written in different periods and by different teams. Andrea also touches on the concept of technical debt, suggesting a pragmatic approach to address it by balancing between new code quality and gradual improvements to legacy code. Stay tuned for that and more!Book Recommendation:The Brothers Karamazov by Fyodor DostoevskyHelpful Links:Andrea on LinkedInSonarPersonal WebsiteThanks to Our Sponsor!Turn hours of debugging into just minutes! AppSignal is a performance monitoring and error tracking tool designed for Ruby, Elixir, Python, Node.js, Javascript, and soon, other frameworks. It offers six powerful features with one simple interface, providing developers with real-time insights into the performance and health of web applications. Keep your coding cool and error-free, one line at a time! Check them out! Subscribe to Maintainable on:Apple PodcastsSpotifyOr search "Maintainable" wherever you stream your podcasts.Keep up to date with the Maintainable Podcast by joining the newsletter.

Coding Blocks
Keyboards, Cloud Costs, Static Analysis, and Philosophy

Coding Blocks

Play Episode Listen Later Oct 15, 2023


We've got a smorgasbord of delights for you this week, ranging from mechanical switches to the cloud and beyond. Also, Michael's cosplaying as Megaman, Joe learns the difference between Clicks and Clacks, and Allen takes no prisoners. See the full show notes a https://www.codingblocks.net/episode220 News The Show Resources We Like Tip of the Week

Coding Blocks
Keyboards, Cloud Costs, Static Analysis, and Philosophy

Coding Blocks

Play Episode Listen Later Oct 15, 2023


We've got a smorgasbord of delights for you this week, ranging from mechanical switches to the cloud and beyond. Also, Michael's cosplaying as Megaman, Joe learns the difference between Clicks and Clacks, and Allen takes no prisoners. See the full show notes a https://www.codingblocks.net/episode220 News The Show Resources We Like Tip of the Week

CppCast
Automatic Static Analysis

CppCast

Play Episode Listen Later Sep 1, 2023 53:08


Abbas Sabra joins Phil and Timur. Abbas talks to us about static analysis, the challenges - and benefits - of analysing C++ code, and a new feature from Sonar that can scan public repos with zero config. Show Notes News Boost 1.83.0 released fmt 10.1 released The downsides of C++ Coroutines Links "All the defaults are backwards" - Phil's Lightning Talk "No, C++ static analysis does not have to be painful" - Sonar blog video showing Sonar's Automatic Analysis in action

Smart Software with SmartLogic
José Valim, Guillaume Duboc, and Giuseppe Castagna on the Future of Types in Elixir

Smart Software with SmartLogic

Play Episode Listen Later Jun 8, 2023 48:32


It's the Season 10 finale of the Elixir Wizards podcast! José Valim, Guillaume Duboc, and Giuseppe Castagna join Wizards Owen Bickford and Dan Ivovich to dive into the prospect of types in the Elixir programming language! They break down their research on set-theoretical typing and highlight their goal of creating a type system that supports as many Elixir idioms as possible while balancing simplicity and pragmatism. José, Guillaume, and Giuseppe talk about what initially sparked this project, the challenges in bringing types to Elixir, and the benefits that the Elixir community can expect from this exciting work. Guillaume's formalization and Giuseppe's "cutting-edge research" balance José's pragmatism and "Guardian of Orthodoxy" role. Decades of theory meet the needs of a living language, with open challenges like multi-process typing ahead. They come together with a shared joy of problem-solving that will accelerate Elixir's continued growth. Key Topics Discussed in this Episode: Adding type safety to Elixir through set theoretical typing How the team chose a type system that supports as many Elixir idioms as possible Balancing simplicity and pragmatism in type system design Addressing challenges like typing maps, pattern matching, and guards The tradeoffs between Dialyzer and making types part of the core language Advantages of typing for catching bugs, documentation, and tooling The differences between typing in the Gleam programming language vs. Elixir The possibility of type inference in a set-theoretic type system The history and development of set-theoretic types over 20 years Gradual typing techniques for integrating typed and untyped code How José and Giuseppe initially connected through research papers Using types as a form of "mechanized documentation" The risks and tradeoffs of choosing syntax Cheers to another decade of Elixir! A big thanks to this season's guests and all the listeners! Links and Resources Mentioned in this Episode: Bringing Types to Elixir | Guillaume Duboc & Giuseppe Castagna | ElixirConf EU 2023 (https://youtu.be/gJJH7a2J9O8) Keynote: Celebrating the 10 Years of Elixir | José Valim | ElixirConf EU 2022 (https://youtu.be/Jf5Hsa1KOc8) OCaml industrial-strength functional programming https://ocaml.org/ ℂDuce: a language for transformation of XML documents http://www.cduce.org/ Ballerina coding language https://ballerina.io/ Luau coding language https://luau-lang.org/ Gleam type language https://gleam.run/ "The Design Principles of the Elixir Type System" (https://www.irif.fr/_media/users/gduboc/elixir-types.pdf) by G. Castagna, G. Duboc, and J. Valim "A Gradual Type System for Elixir" (https://dlnext.acm.org/doi/abs/10.1145/3427081.3427084) by M. Cassola, A. Talagorria, A. Pardo, and M. Viera "Programming with union, intersection, and negation types" (https://www.irif.fr/~gc/papers/set-theoretic-types-2022.pdf), by Giuseppe Castagna "Covariance and Contravariance: a fresh look at an old issue (a primer in advanced type systems for learning functional programmers)" (https://www.irif.fr/~gc/papers/covcon-again.pdf) by Giuseppe Castagna "A reckless introduction to Hindley-Milner type inference" (https://www.lesswrong.com/posts/vTS8K4NBSi9iyCrPo/a-reckless-introduction-to-hindley-milner-type-inference) Special Guests: Giuseppe Castagna, Guillaume Duboc, and José Valim.

Devs Do Something
Solidity Fuzzing & Web3 Testing with a Trail of Bits Security Engineer

Devs Do Something

Play Episode Listen Later Apr 27, 2023 46:25


This week's episode features an interview between Patrick Collins and a Web3 Security Engineer at Trail of Bits. They cover:- testing methodologies- fuzzing- static analysisWith Trail of Bits Security Engineer, Troy!Timestamps3:10 - Exploring Smart Contract Testing Methodologies with Trail of Bits5:37 - Testing Strategies for Smart Contracts8:10 - Fuzz Testing and Invariant-Based Testing Explained10:56 - Coverage Guided Fuzzing Explained13:50 - The Benefits of Coverage Guided Fuzzing and the Differences between Echidna, Foundry, & Others16:27 - Using Coverage Guided Fuzzing with Optic and Echidna19:12 - Symbolic execution and coverage-guided fuzzing in Echidna21:57 - Testing Philosophies: Dynamic vs. Static Testing24:24 - Dynamic vs Static Analysis and the trade-offs of each approach27:10 - The Importance of Efficient Testing and Using a Variety of Testing Methods29:57 - The Role of Security Firms and Testing Philosophies32:33 - Balancing Cost and Efficiency in Security Audits35:15 - The Importance of Code Reuse in Building Tools and Languages38:04 - The pitfalls of focusing on language intricacies in programming and the benefits of prioritizing language design and philosophy40:41 - The Need for More Open Source Tools and Communication in the Ethereum Community43:22 - Advice for becoming more security-minded in smart contract coding45:51 - Discussion with Alpha Rush on Testing Compilers and Security Focus Journeys

The Shifting Privacy Left Podcast
S2E14: Addressing Privacy with Static Analysis Techniques Like ‘Taint-Tracking' & ‘Data Flow Analysis' with Suchakra Sharma (Privado.ai)

The Shifting Privacy Left Podcast

Play Episode Listen Later Apr 11, 2023 34:42 Transcription Available


This week, we welcome Suchakra Sharma, Chief Scientist at Privado.ai, where he builds code analysis tools for data privacy & security. Previously, he earned his PhD in Computer Engineering from Polytechnique Montreal, where he worked on eBPF Technology and hardware-assisted tracing techniques for OS Analysis. In this conversation, we delve into Suchakra's background in shifting left for security and how he applies traditional, tested static analysis techniques — such as 'taint tracking' and 'data flow analysis' — for use on large code bases at scale to help fix privacy leaks right at the source.---------Thank you to our sponsor, Privado, the developer friendly privacy platform.---------Suchakra aligns himself with the philosophical aspects of privacy and wishes to work on anything that helps in limiting the erosion of privacy in modern society, since privacy is fundamental to all of us. These kinds of needs have always been here, and as societies have advanced, this is a time when we require more guarantees of privacy. After all, it is humans that are behind systems and it is humans that are going to be affected by the machines that we build. Check out this fascinating discussion on how to shift privacy left in your organization.Topics Covered:Why Suchakra was interested in privacy after focusing on static code analysis for securityWhat 'shift left' means and lessons learned from the 'shift security left' movement that can be applied to 'shift privacy left' effortsSociological perspectives on how humans developed a need for keeping things 'private' from othersHow to provide engineering-focused guarantees around privacy today & what the role should be of engineers within this 'shift privacy left' paradigmSuchakra's USENIX Enigma talk & discussion of 'taint tracking' & 'data flow analysis' techniquesWhich companies should build in-house tooling for static analysis, and which should be outsourcing to experienced vendors like PrivadoHow to address 'privacy bugs' in code; why it's important to have an 'auditor's mindset;' &, why we'll see 'Privacy Bug Bounty Programs' soonSuchakra's advice to engineering managers to move the needle on privacy in their orgsResources Mentioned:Join Privado's Slack CommunityReview Privado's Open Source Code Scanning ToolsGuest Info:Connect with Suchakra on LinkedIn Privado.ai Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.Shifting Privacy Left Media Where privacy engineers gather, share, & learnBuzzsprout - Launch your podcast Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Paul's Security Weekly TV
Automating Security With Static Analysis - Josh Goldberg - ASW #233

Paul's Security Weekly TV

Play Episode Listen Later Mar 21, 2023 37:21


Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time. Segment Resources: https://typescript-eslint.io  https://eslint.org https://blog.joshuakgoldberg.com   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw233

Application Security Weekly (Video)
Automating Security With Static Analysis - Josh Goldberg - ASW #233

Application Security Weekly (Video)

Play Episode Listen Later Mar 21, 2023 37:21


Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time. Segment Resources: https://typescript-eslint.io  https://eslint.org https://blog.joshuakgoldberg.com   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw233

North Meets South Web Podcast
Upgrading Laravel, static analysis, and speeding up tests

North Meets South Web Podcast

Play Episode Listen Later Mar 9, 2023 28:59


Jake and Michael discuss the very, very, very momentous occasion of Michael finally getting to work both a modern version of Laravel and PHP, some of the twists and turns along the way, difficulties in testing multi-database multi-tenancy, and dissecting PDFs.

Day[0] - Zero Days for Day Zero
[binary] Hacking the DSi and some Fuzzing Tips

Day[0] - Zero Days for Day Zero

Play Episode Listen Later Mar 9, 2023 33:36


Just one vulnerability this week about hacking the Nintendo DSi browser, but we have a good discussion about fuzzing and a new paper "autofz". Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/194.html [00:00:00] Introduction [00:00:27] Spot the Vuln - Checking your Numbers [00:03:23] autofz: Automated Fuzzer Composition at Runtime [00:14:52] Alex Plaskett - Fuzzing Insights [00:23:08] Hacking the Nintendo DSi Browser [00:29:56] Espressif ESP32: Breaking HW AES with Electromagnetic Analysis [00:32:08] Finding 10x+ Performance Improvements in C++ with CodeQL – Part 2/2 on Combining Dynamic and Static Analysis for Performance Optimisation The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

More Than Just Code podcast - iOS and Swift development, news and advice

This week we discuss the new M2 Max, M2 Pro and Mac mini, MacBook Pros 14 & 16. We follow up on Stable Diffusion, ChatGPT and updated Apple Design Resources. We also cover augmenting accessibility with localized image names and the 2nd generation HomePod. In our Picks; Improving Console Output, SwiftUI Views Life Cycle, SwiftUI 4 adds tap location, DIY iOS Static Analysis, Gitignore.io, Getting Started with Xcode Cloud, and How to professionally say...

Software Engineering Unlocked
Making security easier for developers

Software Engineering Unlocked

Play Episode Listen Later Aug 24, 2022 44:51


Book your awesomecodereview.com workshop!Links:Harshit's LinkedinThe voice of the modern developerTromozoSubscribe on iTunes, Spotify, Google, Deezer, or via RSS. 

DevSecOps Podcast
#23 - SDL PT9 - Perform Static Analysis Security Testing (SAST)

DevSecOps Podcast

Play Episode Listen Later Jun 22, 2022 59:06


No nono episódio da série SDL, você acompanha sobre Static Application Security Testing SAST. O quê? Como? Onde? Quando? E principalmente, para quem? Vamos mergulhar no tema para te ajudar a desenvolver software seguro, da maneira certa.

Go Time
Analyzing static analysis

Go Time

Play Episode Listen Later Apr 28, 2022 58:22 Transcription Available


Matan Peled from Technion University joins Natalie & Mat to discuss his PhD research on meta programming and static analyzers. How does Go's measure up? What would Matan's look like if he built one? All that and more!

Changelog Master Feed
Analyzing static analysis (Go Time #227)

Changelog Master Feed

Play Episode Listen Later Apr 28, 2022 58:22 Transcription Available


Matan Peled from Technion University joins Natalie & Mat to discuss his PhD research on meta programming and static analyzers. How does Go's measure up? What would Matan's look like if he built one? All that and more!

Software Unscripted
Static Analysis with elm-review author Jeroen Engels

Software Unscripted

Play Episode Listen Later Apr 15, 2022 53:37


Jeroen Engels, creator of elm-review and co-host of the Elm Radio podcast, talks about static analysis tools with Richard.

Software Engineering Unlocked
Improving Code Reviews with Github's Copilot

Software Engineering Unlocked

Play Episode Listen Later Apr 13, 2022 37:52


Paige is the director of Machine learning and machine learning operations, aka MLOps, at GitHub. Before that, she was a principal product manager at Microsoft and also worked on DeepMind and Google Brain. Paige has had over a decade of experience with machine learning and data science as a practitioner. Check out my new project awesomecodereview.com workshop!Links:Retweet and like to win access to GitHub Codespace, including CopilotTiferet's work, using machine learning to detect security vulnerabilities in source code.VS Code's Python extension and Jupyter extension.Copilot website (make sure to download the Copilot Nightly extension, to get the latest features!)Applied Machine Learning Scientist – Microsoft job opening here!Github – Use it for your work and tell us how we can improve! Shownotes:[00:01 – 10:53] Opening Segment Check out my latest project: Awesome Code Reviews!Visit https://www.awesomecodereviews.com/ to find articles about code reviews, best practices, code review checklist, news about the latest research and code reviews, and workshops and courses about this topicGet a chance to try out GitHub Codespaces and other extensions like GitHub Copilot!Like and retweet today's episode, and for an additional chance to win, you can also leave a comment about what kind of data science work you're currently doing or what you like to doThe responsibilities of a director of machine learning and machine learning operationsDemystifying the process of reviewing complicated data science code[10:54 – 20:54]  A Helpful Collaborator As You Write CodesHow GitHub Copilot becomes your partner and collaborator when writing codesIt is an extension for VS Code and generates source codeLearning from test cases and how code reviewers can perform a better jobAcquiring accurate code snippets through understanding the specific requirementsThe strive for consistent performance across every single kind of language[20:55 – 35:25]  Expanding Feature Capabilities for Optimal FunctionalityThe beginning of deep learning techniques applicationThis targets detecting security vulnerabilities through code reviewsIt also provides recommendations for extracting functions from blocks of codeEncouraging consistency in names and stylesTake note: Microsoft is hiring!Striking the balance with deep understanding of data-driven and quantitative approachesData can tell us about users who are already using our tools, but not about those who haven't tried them yetThe key is to remain curious and constantly seek to better understand users[35:26 – 37:52] Closing SegmentPaige's recommendation for youTry out GitHub for your machine learning projects!Final wordsResources Mentioned: Retweet and Linke this tweet to win access to GitHub codespaces and copilotAwesome Code Reviews - Visit for helpful information and courses for you to try!Applied Machine Learning Scientist - Microsoft job opening here!Github - Use it for your work and tell us how we can improve!Tiferet's work, using machine learning to detect security vulnerabilities in source code.VS Code's Python extension and Jupyter extension.Copilot website (make sure to download the Copilot Nightly extension, to get the latest features!Let's Connect! You can connect with me, Dr. McKayla on Instagram, Twitter and Youtube to look into engineering software, and learn from experienced developers and thought leaders from around the world about how they develop software!LEAVE A REVIEW + help someone who wants to know more about the engineering software world. Your ratings and reviews help get the podcast in front of new listeners.

PHP Internals News
PHP Internals News: Episode 95: PHP 8.1 Celebrations

PHP Internals News

Play Episode Listen Later Nov 25, 2021


PHP Internals News: Episode 95: PHP 8.1 Celebrations London, UK Thursday, November 25th 2021, 09:23 GMT In this episode of "PHP Internals News" we're looking back at all the RFCs that we discussed on this podcast for PHP 8.1. In their own words, the RFC authors explain what these features are, with your host interjecting his own comments on the state of affairs. The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news Transcript Derick Rethans 0:14 Hi, I'm Derick, and this is PHP internals news, a weekly podcast dedicated to demystifying the development of the PHP language. Derick Rethans 0:23 This is episode 95. I've been absent on the podcast for the last few months due to other commitments. It takes approximately four hours to make each episode. And I can now unfortunately not really justify spending the time to work on it. I have yet to decide whether I will continue with it next year to bring you all the exciting development news for PHP 8.2. Derick Rethans 0:44 However, back to today, PHP eight one is going to be released today, November 25. In this episode, I'll look back at the previous episodes this year to highlight a new features that are being introduced in PHP 8.1. I am not revisiting the proposals that did not end up making it into PHP 8.1 feature two features I will let my original interview speak. I think you will hear Nikita Popov a lot as he's been so prolific, proposing and implementing many of the features of this new release. However, in the first episode of the year, I spoke with Larry about enumerations, which he was proposing together with Ilija Tovilo. I asked him what enumerations are. Larry Garfield 1:26 Enumerations, or enums, are a feature of a lot of programming languages. What they look like varies a lot depending on the language, but the basic concept is creating a type that has a fixed finite set of possible values. The classic example is booleans. Boolean is a type that has two and only two possible values true and false. Enumerations are way to let you define your own types like that, to say this type has two values Sort Ascending or Sort Descending. This type has four values for the four different card suits, and a standard card deck. Or a user can be in one of four states pending, approved, cancelled or active. And so those are the four possible values that this variable type can have. What that looks like varies widely depending on the language. In a language like C or C++, it's just a thin layer on top of integer constants, which means they get compiled away to introduce at compile time, and they don't actually do all that much they're a little bit to help for reading. On the other end of the spectrum, you have languages like rust or Swift, where enumerations are a robust, advanced data type and data construct of their own. That also supports algebraic data types. We'll get into that a bit more later. And is a core part of how a lot of the system actually works in practice, and a lot of other languages are somewhere in the middle. Our goal with this RFC is to give PHP more towards the advanced end of enumerations. Because there are perfectly good use cases for it, so let's not cheap out on it. Derick Rethans 3:14 In the next episode, I spoke with Aaron Piotrowski about another big new feature: fibres. Aaron Piotrowski 3:20 A few other languages already have Fibers like Ruby. And they're sort of similar to threads in that they contain a separate call stack and a separate memory stack. But they differ from threads in that they exist only within a single process and that they have to be switched to cooperatively by that process rather than pre-emptively by the OS like threads. And so the main motivation behind wanting to add this feature is to make asynchronous programming in PHP much easier and eliminate the distinction that usually exists between async code that has these promises and synchronous code that we're all used to. Derick Rethans 4:03 I also asked Aaron about small PHP I actually have a slightly related question that pops into my head as like. There's also something called Swoole PHP, which does something similar but from what I understand actually allows things to run in threats. How would you compare these two frameworks or approaches is probably the better word? Aaron Piotrowski 4:25 Swoole is they try and be the Swiss Army Knife in a lot of ways where they provide tools to do just about everything. And they provide a lot of opinionated API's for things that in this case, I'm trying to provide just the lowest level just the only the very necessary tools that would be required in core to implement Fibers. Derick Rethans 4:48 Although I discussed several deprecations from Nikita and the last year, I only want to focus on the new features. In episode 76. I spoke with him about array unpacking, after talking about changes to Null in internal functions. Nikita Popov 5:01 The old background is set we have unpacking calls. If you have the arguments for the call in an array, then you write the free dots and the array is unpacked intellectual arguments. Now what this RFC is about is to do same change for array unpacking, so allow you to also use string keys. Derick Rethans 5:24 In another episode, I spoke with David Gebler on a more specific addition of a new function fsync. David explains the reason why he wants to add this to PHP. David Gebler 5:34 It's an interesting question, I suppose in one sense, I've always felt that the absence of fsync and some interface to fsync is provided by most other high level languages has always been something of an oversight in PHP. But the other reason was that it was an exercise for me in familiarizing myself with PHP core getting to learn the source code. And it's a very small contribution, but it's one that I feel is potentially useful. And it was easy for me to do as a learning exercise. Derick Rethans 5:58 And that is how things are added to PHP sometimes, to learn something new and add something useful at the same time. After discussing the move of the PHP documentation to GIT an episode 78, in Episode 79, I spoke with Nikita about his new in initializers RFC. He says: Nikita Popov 6:15 So my addition is a very small one, actually, my own will, I'm only allowing a single new thing and that's using new. So you can use new whatever as a parameter default, property default, and so on. Derick Rethans 6:29 The addition of this change also makes it possible to use nested attributes. Nikita explains: Nikita Popov 6:34 I have to be honest, I didn't think about attributes at all, when writing this proposal. What I had in mind is mainly parameter defaults and property defaults. But yeah, attribute arguments also use the same mechanism and are under the same limitations. So now you can use new as an attribute argument. And this can be used to effectively nest attributes. Derick Rethans 6:59 Static Analysis tools are used more and more with PHP, and I spoke to the authors of the two main tools, Matt Brown, of Psalm, and Ondrej Mirtes of PHPStan. They propose to get her to add a new return type called noreturn. I asked him what it does and what it is used for. Ondrej Mirtes 7:14 Right now the PHP community most likely waits for someone to implement generics and intersection types, which are also widely adopted in PHP docs. But there's also noreturn, a little bit more subtle concept that would also benefit from being in the language. It marks functions and methods that always throw an exception. Or always exit or enter an infinite loop. Calling such function or method guarantees that nothing will be executed after it. This is useful for static analysis, because we can use it for type inference. Derick Rethans 7:49 Beyond syntax, each new version of PHP also adds new functions and classes. We already touched on the new fsync function, but Mel Dafort proposed to out the IntlDatePatternGenerator class to help with formatting dates according to specific locales in a more specific way. She explains: Mel Dafert 8:07 Currently, PHP exposes the ability for locale dependent date formatting with the IntlDateFormat class, it says basically only three options for the format long, medium and short. These options are not flexible in enough in some cases, however, for example, the most common German format is de dot numerical month dot long version of the year. However, neither the medium nor the short version provide and they use either the long version of the month or a short version of the year, neither of which were acceptable in my situation. Derick Rethans 8:40 And she continues with her proposal: Mel Dafert 8:42 ICU exposes a class called DateTimePatternGenerator, which you can pass a locale and so called skeleton and it generates the correct formatting pattern for you. The skeleton just includes which parts are supposed to include it to be included in the pattern, for example, the numerical date, numerical months and the long year, and this will generate exactly the pattern I wanted earlier. This is also a lot more flexible. For example, the skeleton can also just consist of the month and the year, which was also not possible so far. I'm proposing to add IntlDatePatternGenerator class to PHP, which can be constructed for locales and exposes the get best pattern method that generates a pattern from a skeleton for that locale. Derick Rethans 9:26 Locales and internationalization have always been an interest for me, and I'm glad that this made it into PHP 8.1. I spoke at length with Nikita about his property accessors RFC, in which he was suggesting to add a rich set of features with regard to accessibility of properties, including read only, get/set function calls, and asymmetric visibility. He did not end up proposing this RFC, which he already hinted that during our chat: Nikita Popov 9:53 I am still considering if I want to explore the simpler alternatives. First, there was already a proposal, another rejected proposal for Read Only properties probably was called Write Once Properties at the time. But yeah, I kind of do think that it might make sense to try something like that again before going to the full accessors proposal, or instead. Derick Rethans 10:18 He did then later proposed a simpler RFC read only properties, which did get included into PHP eight as a new syntax feature. He explains again: Nikita Popov 10:27 This RFC is proposing read only properties, which means that a property can only be initialized once and then not changed afterwards. Again, the idea here is that since PHP 7.4, we have Type Properties. Remaining problem with them is that people are not confident making public type properties because they still ensure that the type is correct, but they might not be upholding other invariants. For example, if you have some, like additional checks in your constructor, that a string property is actually a non empty string property, then you might not want to make it public because then it could be modified to an empty value. For example, one nowadays fairly common case is where properties are actually only initialized in the constructor and not changed afterwards any more. So I think this kind of mutable object pattern is becoming more and more popular in PHP. Derick Rethans 11:21 Nikita, of course, meant this kind of immutable object pattern, which we didn't pick up on during the episode. Another big change was the PHP type system, where George Peter proposed out pure intersection types. He explains what it is: George Peter Banyard 11:35 I think the easiest way to explain intersection types is to use something which we already have, which are union types. So union types tells you I want X or Y, whereas intersection types tell you that I want x and y to be true at the same time. The easiest example I can come up with is a traversable that you want to be countable as well. Derick Rethans 11:54 To explain our pure George Peter says: George Peter Banyard 11:58 So the word pure here is not very semantically, it's more that you cannot mix union types and intersection types together. Derick Rethans 12:06 Just after the feature freeze for PHP 8.1 happened in July, another RFC was proposed by Nicolas Grekas to allow the new pure intersection types to be nullable as well. But as that RFC was too late, and would change the pure intersection type to just intersection types, it was ultimately rejected. Derick Rethans 12:23 The last feature that I discussed in a normal run of the podcasts was Nikita's first class callable syntax support. He explains why the current callable syntax that uses strings and arrays with strings has problems: Nikita Popov 12:35 So the current callable syntax has a couple of issues. I think the core issue is that it's not really analysable. So if you see this kind of like array with two string signs inside it, it could just be an array with two strings, you don't know if that's supposed to actually be a static method reference. If you look at the context of where it is used, you might be able to figure out that actually, this is a callable. And like in your IDE, if you rename this method, then this array should also be this array elements will also be renamed. But that's like a lot of complex reasoning that the static analyser has to perform. That's one side of the issue. The second one is that colour bulls are not scope independent. For example, if you have a private method, then like at the point where you create your, your callable, like as an array, it might be callable there, but then you pass it to some other function, and that's in a different scope. And suddenly that method is not callable there. So this is a general issue with both the like this callable syntax based on arrays, and also the callable type, is callable at exactly this point, not callable at a later point. This is what the new syntax essentially addresses. So it provides a syntax that like clearly indicates that yes, this really is a callable, and it performs the callable culpability check at the point where it's created, and also binds the scope at that time. So if you pass it to a different function in a different scope, it still remains callable. Derick Rethans 14:08 This new feature is a subset of another RFC called partial function applications, which was proposed by Paul Crovella, Levi Morrison, Joe Watkins, and Larry Garfield, but ultimately got declined. So there we have it, a whirlwind tour of the major new features in PHP 8.1. I hope you will enjoy them. As I said in the introduction, I'm not sure if I will continue with the podcast to talk about PHP 8.2 features in 2022 due to time constraints. Let me know if you have any suggestions. Derick Rethans 14:41 Thank you for listening to this installment of PHP internals news, a podcast dedicated to demystifying the development of the PHP language. I maintain a Patreon account for supporters of this podcast as well as the Xdebug debugging tool. You can sign up for Patreon at https://drck.me/patreon. If you have comments or suggestions, feel free to email them to derick@phpinternals.news. Thank you for listening and I'll see you next time. Show Notes Episode #73: Enumerations Episode #74: Fibers Episode #76: Array Unpacking Episode #77: fsync function Episode #79: New in Initialisers Episode #81: noreturn type Episode #85: Add IntlDatePatternGenerator Episode #86: Property Accessors Episode #88: Pure Intersection Types Episode #90: Readonly Properties Episode #92: First-Class Callable Syntax Credits Music: Chipper Doodle v2 — Kevin MacLeod (incompetech.com) — Creative Commons: By Attribution 3.0

The CyberWire
GriftHorse's premium service scams. Facebook open sources a static analysis tool. Update on the Group-IB affair. What the Familiar Four are up to. Counting ransomware strains.

The CyberWire

Play Episode Listen Later Sep 30, 2021 28:41


GriftHorse will subscribe afflicted Android users to premium services they never knew they'd signed up for (and wouldn't want if they did). Facebook releases a static analysis tool it uses internally to check apps for security issues. Speculation about what put Group-IB's CEO in hot water with the Kremlin. A look from NSA about where the major nation-state cyberthreats currently stand. Malek Ben Salem from Accenture has thoughts on quantum security. Our guest is author and Wired editor at large Steven Levy joins us with insights on Facebook's internal research teams. And a short census of ransomware strains. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/189

Console DevTools
Can you rely on autofix? (Tyk & DeepSource) - S01E09

Console DevTools

Play Episode Listen Later Sep 2, 2021 15:23


Episode 9 of the Console DevTools Podcast, a devtools discussion with David Mytton (Co-founder, Console) and Jean Yang (CEO, Akita Software).Tools discussed:Tyk - API gatewayDeepsource - automated code reviewsFind more interesting tools and beta releases for developers at https://console.devOther things mentioned:KongApigeenginxGoAkita SoftwareEP5 Console DevTools PodcastEP2 Console DevTools PodcastLet us know what you think on Twitter:https://twitter.com/jeanqasaurhttps://twitter.com/davidmyttonhttps://twitter.com/consoledotdevOr by email: hello@console.devWe are always on the lookout for interesting tools to feature in the newsletter, so please say hello if you're working on something new or have recently used a tool you think we'd like.We only include things that would be of interest to experienced developers and do not accept payment for product inclusion. Read our selection criteria.Recorded: 2021-08-18.

Security Journey's hi/5
Impact of GDPR, JavaScript for Pen Testers and Bug Bounty Hunters, Incident Response Plan, and more

Security Journey's hi/5

Play Episode Listen Later Jul 8, 2021 6:09


1. Impact of GDPR on Cloud Service ProvidersPrivacy is here to stay -- long live data privacy in the cloud.2. Static Analysis of Client-Side JavaScript for pen testers and bug bounty huntersBug bounty hunter techniques are the same techniques adversaries use.3. What Every Incident Response Plan NeedsNobody thinks they'll need an incident response plan… until it's too late.4. Dev-Sec Disconnect Undermines Secure Coding EffortsDeveloper empathy – as a security person, walk a mile in the shoes of your developers. It will change your whole perspective.5. Look how many cybercriminals love Cobalt StrikeAdversaries use the best tools available for any job. Sometimes those tools are the same tools used by those on the side of good.

LINUX Unplugged
410: Ye Olde Linux Distro

LINUX Unplugged

Play Episode Listen Later Jun 16, 2021 62:44


Linux Action News
Linux Action News 186

Linux Action News

Play Episode Listen Later Apr 26, 2021 24:41


The University of Minnesota has been banned from the Linux kernel. We'll share the history, the context, and where things stand now around the controversial research that led to the ban. Plus Ubuntu 21.04 is out, and we try WSL's new GUI Linux app support.

Linux Action News
Linux Action News 186

Linux Action News

Play Episode Listen Later Apr 26, 2021 24:41


The University of Minnesota has been banned from the Linux kernel. We'll share the history, the context, and where things stand now around the controversial research that led to the ban. Plus Ubuntu 21.04 is out, and we try WSL's new GUI Linux app support.

Linux Action News
Linux Action News 186

Linux Action News

Play Episode Listen Later Apr 26, 2021 24:41


The University of Minnesota has been banned from the Linux kernel. We'll share the history, the context, and where things stand now around the controversial research that led to the ban. Plus Ubuntu 21.04 is out, and we try WSL's new GUI Linux app support.

The Python Podcast.__init__
Keep Your Code Clean And Maintainable Using Static Analysis With Flake8

The Python Podcast.__init__

Play Episode Listen Later Apr 6, 2021 49:31


When you are writing code it is all to easy to introduce subtle bugs or leave behind unused code. Unused variables, unused imports, overly complex logic, etc. If you are careful and diligent you can find these problems yourself, but isn't that what computers are supposed to help you with? Thankfully Python has a wealth of tools that will work with you to keep your code clean and maintainable. In this episode Anthony Sottile explores Flake8, one of the most popular options for identifying those problematic lines of code. He shares how he became involved in the project and took over as maintainer and explains the different categories of code quality tooling and how Flake8 compares to other static analyzers. He also discusses the ecosystem of plugins that have grown up around it, including some detailed examples of how you can write your own (and why you might want to).

Software Engineering Daily
Semgrep: Modern Static Analysis with Isaac Evans

Software Engineering Daily

Play Episode Listen Later Feb 26, 2021 45:40


Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices. R2C has developed a fast, open-source static The post Semgrep: Modern Static Analysis with Isaac Evans appeared first on Software Engineering Daily.

Software Daily
Semgrep: Modern Static Analysis with Isaac Evans

Software Daily

Play Episode Listen Later Feb 26, 2021


Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices.R2C has developed a fast, open-source static analysis tool called Semgrep. Semgrep provides syntax-aware code scanning and a database of thousands of community-defined rules to compare your code against. Semgrep also makes it easy for security engineers and developers to define custom rules to enforce their organization's policies. R2C's platform has been adopted by industry leaders such as Dropbox and Snowflake, and recently received the “Disruptive Innovator” distinction at Forbes' 2020 Cybersecurity Awards.Isaac Evans is the Founder and CEO of R2C. Before founding R2C he was an Entrepreneur in Residence at Redpoint Ventures and a computer scientist at the US Department of Defense. Isaac joins the show today to talk about how R2C is helping teams improve their cloud security, why static analysis is a natural fit for CI/CD workflows, and what to expect from R2C and the Semgrep project in the future.

Podcast – Software Engineering Daily
Semgrep: Modern Static Analysis with Isaac Evans

Podcast – Software Engineering Daily

Play Episode Listen Later Feb 26, 2021 45:40


Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices. R2C has developed a fast, open-source static The post Semgrep: Modern Static Analysis with Isaac Evans appeared first on Software Engineering Daily.

Security – Software Engineering Daily
Semgrep: Modern Static Analysis with Isaac Evans

Security – Software Engineering Daily

Play Episode Listen Later Feb 26, 2021 45:40


Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices. R2C has developed a fast, open-source static The post Semgrep: Modern Static Analysis with Isaac Evans appeared first on Software Engineering Daily.

Tool and Library Qualification
Episode 42: Static Analysis with Daniel Kästner (AbsInt)

Tool and Library Qualification

Play Episode Listen Later Dec 22, 2020 35:32


In this episode Dr. Oscar Slotosch is joined by Dr. Daniel Kästner, co-founder of AbsInt and accomplished expert on safety-critical embedded systems, for a discussion of the applications of static analysis to safety-critical software and the advanced development tools offered by AbsInt. Tune in to learn about the static code analyzer for C and C++ that can prove the absence of runtime errors and invalid concurrent behavior (Astrée) and AbsInt’s formally verified production compiler (CompCert), as well as their process of development and real-world applications. Additional information about AbsInt can be found at absint.com. To hear Oscar’s discussion with Marcel Beemster, join us in Episode 20: SuperTest with Marcel Beemster (Solid Sands), and to learn more about C++ exceptions for safety-critical projects, listen in to Episode 31: Safety of C++ Exceptions — Deep Dive with Mapless AI. Your producer and friendly representative of the audience in this episode has been Ivana Kurecic. We can be reached through podcast@validas.de and all information about Validas can be found on our website, validas.de.

The Accidental Engineer
Static Analysis from Scratch: Elissa Shevinsky, Faster Than Light

The Accidental Engineer

Play Episode Listen Later Sep 1, 2019 30:27


Elissa Shevinsky is CEO at Faster Than Light, a startup tackling the field of static code analysis.

The Byte - A Byte-sized podcast about Containers, Cloud, and Tech
Clair - Vulnerability Static Analysis for Containers

The Byte - A Byte-sized podcast about Containers, Cloud, and Tech

Play Episode Listen Later May 13, 2019 4:57


Website - https://github.com/coreos/clairSaaS Vendors mentioned in this episode: Aqua Security NeuVector Twistlock Episode TranscriptionWelcome back to The Byte. In this episode, we're going to talk about Clair, a vulnerability Static Analysis tool for containers. Before we get started I want to see a raise of hands who runs containers in production? Now, keep your hand up if you scan your images that are running in production. Now, this is a question I ask in workshops to various banks, and big customers that you would think would be doing this, and it's shocking. If we were all sitting in one room, I would imagine only 20% of us would still have our hands up saying we run production containers, and we scan these containers... Scan the container images.Now, Clair is actually a brilliant tool. It's was developed by CoreOS, which was acquired by Red Hat, which Red Hat was acquired by IBM, but it's still going. I mean, it's still active, which is brilliant, because it's an awesome tool. Now, typically in the enterprise world, and the small-medium enterprise, I mean, different segments, you have different options, right? I mean, typically, if you are going to do container security, you're going to go with some sort of SAS solution, one of the big vendors, and we're talking about Aqua Security, NeuVector, Twistlock. I mean, just to name a couple of them.But, Clair is actually the open-source version, and obviously, it is open source. I mean, you're not getting any SLAs, or anything like that, but it does a great job, and what it does, I mean, it actually does Static Analysis and Vulnerability Scanning of your container images. How that works, it regularly downloads the metadata from various sources, stores them in a database, and then, compares the metadata versus your images that are running. This then provides you a notification, or lets you know, "Hey, this particular image has vulnerabilities, and I'll notify you, and I'll keep notifying you until you..." Like siren's notification.Additionally, we can also integrate Clair into your CICD pipeline, which allows us to, as we build container images we can actually, as it's pushed to a Registry, Clair then fires up, scans the image, and then, provides you like a report about them, if there are any vulnerabilities inside this image. It integrates into your CICD pipeline, it integrates into various container registries, it has configurable notifications, so we can then push notifications to slack, or email, or whatever notification system you want to use, Permit To Use, for example. You can go to the Alert Manager. It has a lot of different possibilities there. It does integrate quite well to a bunch of different type of platforms, so if you go into the documentation on Clair OS, GitHub page, you go to Integrations you can see it obviously integrates into the CoreOS Registry.It integrates into all sorts of different projects. You can look through it. As I said, it's an open-source project. If you're not doing container scanning now, I would highly, highly recommend you use Clair, that at least you have something, right? Because, many times people are not doing any scanning, and it's better to do something, so at least you know, hey, do I have a heart bleed running around in my production systems? Do I have any vulnerabilities that are like super, like red alert? It's good to know at least baseline where I'm sitting. I would recommend Clair if you're not running any security system. If you have the budget I would definitely go for an enterprise solution, Aqua, NeuVector, Twistlock, or just to name a couple of them, but there's a lot of options out there.Security starts sooner than later. I mean, the sooner you can integrate this into your CICD pipeline the better off you are. Give it a try, github.com/coreos/clair. It's a great tool. We've used it for a couple of projects. We're quite happy with it. I mean, obviously, for what you pay for, right? But, at least you're getting some sort of security put in place. This is step one. Obviously, there are a lot more best practices you can incorporate into your building of images, as well as the security in your container environment, but at least with Clair, we have some sort of reporting and availability... Ability to actually scan your images.Give it a try. Clair has great documentation. It's being used quite regularly. it's also being updated quite frequently as well. That's all I have for this episode. Have a great day. We'll see you next time.