Alvaro Muñoz
Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.
Rise of captain hindsight: Finding Log4Shell with CodeQL
CodeQL is a free and powerful static analysis tool to look for vulnerabilities in OSS projects. It is commonly used to detect known vulnerability patterns and their associated variants in code. CodeQL queries are usually aimed towards very specific vulnerabilities for variant analysis purposes and are often integrated into CI/CD pipelines to automatically detect bugs. For this reason, CodeQL is configured to operate in a developer-first mode which will reduce false positives to a minimum and return the most accurate results. However, CodeQL can also be configured to operate in a less conservative, more security researcher friendly mode which results in more false positives but also less false negatives.
In this talk, Alvaro Muñoz of the GitHub Security Lab will use Log4Shell to demonstrate CodeQL in action. He will review Log4Shell’s root cause, how it manifests in code and how it could have been discovered using CodeQL. In this process he will discuss some specific examples of what it means to operate on each of the above-mentioned modes and how someone could configure CodeQL to better serve their objectives, either as a security researcher or a developer.