← All talks

Find and fix Vulnerabilities within open source projects - Callian

BSides Cape Town11:48260 viewsPublished 2025-03Watch on YouTube ↗
About this talk
It's actually pretty easy to find and fix vulnerabilities within open-source projects. With the right tools and techniques, identifying security flaws and patching them can be a straightforward process. In this talk, we’ll explore practical methods to detect vulnerabilities, from automated scanning to manual code review, and guide you through the steps to address them effectively. Whether you’re a seasoned developer or new to open source, you’ll learn how to contribute to making projects more secure. Let's commit to securing open-source code—starting today, with your next pull request! In this talk, I will provide a brief but comprehensive introduction on how to find and fix vulnerabilities in open-source projects. We'll explore not only the techniques for identifying and addressing security flaws but also how anyone—regardless of experience—can contribute to improving open-source software. Whether you're scanning for vulnerabilities, submitting patches, or helping with code reviews, you'll discover practical ways to get involved and make a meaningful impact in the open-source community. ======================================================= About the speaker: I'm Callian, also known as Kallie, a dedicated DevSecOps Engineer with a development background and are passionate about application security. My journey is fueled by an enduring curiosity and a passion for embracing new challenges that foster both personal and professional growth. As the leader of the DevSecCon Cape Town Community, I assist in bringing together developers, operations teams, and security practitioners to collaborate, share knowledge, and shape the future of secure development ======================================================= Thanks to our AV sponsor Tenable for making these recordings possible.
Show transcript [en]

yeah so yeah thanks for taking the time to join my join me today so in this lightning talk we'll explore how to find and fix vulnerabilities in open source projects so before I dive in let me quickly just take a moment to introduce myself so I am cian Barons a devc Ops engineer so I'm also known as Ki a devc Ops engineer and someone who is passionate about application security not just finding but fixing security vulnerabilities as well so what is what is open source projects so open source projects are source code that's um are basically projects programs libraries whose source code are made freely available for anyone to use distribute or even modify so um a couple of examples of Open

Source platforms uh GitHub as well as gitlab if we have a look at some popular open- Source projects um operating systems like Linux programming tools like python or node.js or even development platforms like kubernetes and Docker so in order to contribute to a open source project there are basically a number of things to consider so one you basically have to find a project to decide where do you want to contribute to the project um go through the documentation find an issue to work on in our case we will be looking for security vulnerabilities work on your solution and submit your solution so using tools and platform to contribute to open source projects so so GitHub basically have some built-in

tools like code ql as well as the pandabot that you can used to scan open- Source projects for security vulnerabilities and there are external platforms like sneak as well that also does the same so when you're analyzing a project for security vulnerabilities there are a number of things to consider some categories so source code so you can either analyze the code base of a project for security vulnerabilities or analyze the dependencies of a project for security vulnerabilities like all the third party libraries within your project so what we will have a look at now is the built in security features within GitHub so it has builtin features like code scanning where you can analyze the code as well as dependency scanning

so we will quickly have a look at how you can enable that Within your open source project and actually use it so so what is code scanning so code scanning is a feature that allows you to analyze your code within G up for security vulnerabilities and it also gives you the ability to scan to basically schedule scans um within your project so you can decide how frequently you would like a your project to be assessed so as soon as a potential vulnerability has been identified you will receive an alert and GitHub as a co-pilot autofix that will basically suggest a fix for the vulnerability that was identified so if we have a look at code

scanning using Code ql so like I mentioned it is an analysis tool developed by GitHub it currently supports eight programming languages and when you set it up in GitHub you have the option to set it up to basically set up the default or Advanced capability of of um code ql so how how do I go about enabling um code scanning within a GitHub repository so once you've decided um on a project that you would like to work on one of the first things that you should do is make sure that you have within your repository go to actions just make sure that get up actions is enabled and after that go to the security Tab and click on

on code scanning so this is basically where you will then go ahead and configure your security tool so if you go to your security tool and like I mentioned the setup and click on default so it will automatically start analyzing your project and look at the identify the programming languages that that ex basically contains in your um Repository so as soon as you enable code ql that's basically when it will start scanning your project for um code vulnerabilities and as soon as a vulnerability has been identified you will you will basically get an alert you will be alerted of the findings and as so when you click on one of the findings this is basically where um Auto

auto um Auto you can basically do the autofix so you can generate a fix or you can Implement a fix so yeah so here you can basically see the suggested fix that was generated and then you can basically submit the fix so what you can also do is you can uh modify um your workflow to to basically update the schedule times of when you want to actually perform schedules so you can basic basically do that using the Chron

synx so next we will have a look at dependency scanning so how you can actually do dependency scanning within your um project using dependabot so it's basically uh the process is similar So within your um GitHub repository you will navigate to the security tab um and then basically on overview and enable depender Bo so yeah so you can basically then select um which alert option you would like to enable and once a potential security vulnerability has been identified you will then be alerted as well so there you can basically I'm not sure if everyone can see but it's it's it's basically showing that this is the patch version and you can basically upgrade from your current to the patched version

so then you can basically submit a fix for that so that was basically the the built-in features within GitHub some of the built-in security features so GitHub has a Marketplace which has additional security tools which you can also use um to basically find and fix security vulnerabilities within your project so there are external platforms like sneak where you can do the same where you can scan your GitHub project for security vulnerabilities and submit a fix as well so you can sign up to sneak and basically then import your GitHub project so as soon as it's imported it will scan your project for security vulnerabilities and if there's a fix available it will basic it will

tell you that there is a fix available for this vulnerability and what you can also do is open a pool request from within um sneak so as soon as you open a PO request you will then be redirected to get up where you would be able to commit the fix um within the project so one one of the uh great things that I actually like about sneak is so as soon as a security vulnerability has been identified they do have a learning option as well where you can learn more about the security vulnerability that was identified so as soon as you click on learn about this vulnerability you will be redirected to their page which will basically give you

a breakdown of the security vulnerability how it works how it works in the background and how you can basically mitigate this security vulnerability so you can take it as a learning experience as well to learn more about the different types of security vulnerabilities so crossplatform remediation so what you can also do in in in get up in order to contribute to multiple open source projects so so you can basically apply what you've already learned so if you I identified a spec specific security vulnerability as well as how to fix it you can basically just search in GitHub you can search for the vulnerable code and it will basically show you all the repositories which basically contains or make use of the

same vulnerable code and then you can just go ahead and implement the same patch within that repository so that'll basically allow you to contribute to multiple open source projects yeah so just to summarize um my lightning talk so we had a look at how you can find and fix security vulnerabilities within within G up using the buildin tools like code ql as well as dependabot and how you can also use external platforms like sneak to import your um project your open source project and scan it for vulnerabilities and how you can also use it as a learning platform to learn more about security vulnerabilities as well as how you can use what you've learned and apply it

across multiple code repositories and thanks again for joining me so let's commit to securing open source projects starting with your next p request thank [Applause] you across the attack surface scattered products and siloed views create blind spots that feel Unstoppable the deadliest risks are in these gaps where attackers move in it's time to unify fragmented snapshots into one allseeing view of risk and unleash a platform born with one intention isolate and eradicate your priority exposures from it infrastructure to Cloud environments to critical infrastructure and everywhere in between this is tenable your exposure ends here

Related talks

44:52
Hacking Satellites with Software Defined Radio
BSides Cape Town · 2019
27:44
Hacking AAA Unreal Engine Games with Python
BSides Cape Town · 2023
38:26
BSIDES CPT 2019 -Keynote:The Woman Who Squashed Terrorists When an Embassy gets Hacked -Chris Kubeka
BSides Cape Town
45:10
Gollum: One Anti-Phish Bot to Rule Them All
BSides Cape Town · 2019
42:33
BSIDES CPT 2019 - Web Application Vulnerability Scanners: An Intro & Discussion - Robert Feeney
BSides Cape Town
39:34
What the DLL? Finding and Exploiting DLL Preloading Vulnerabilities
BSides Cape Town · 2016