Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

The talk discusses a highly scalable solution for fixing common security vulnerabilities in Open Source Software (OSS) projects by leveraging researcher knowledge through automated bulk pull request generation.

• Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes.
• The scale of GitHub and tools like CodeQL enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing.
• Automated bulk pull request generation is a highly scalable solution to leverage researcher knowledge to fix the most vulnerabilities across OSS.
• The talk covers the practical applications of this technique on real-world OSS projects and technologies like CodeQL and OpenRewrite.
• The work is sponsored by the Dan Kaminsky Fellowship, which funds open-source work that improves the security of the internet.

The speaker generated over 150 pull requests to fix the zip slip vulnerability across the open-source ecosystem, primarily in the Java ecosystem. The vulnerability was caused by the use of HTTP to resolve dependencies, which can result in an attacker compromising the artifact being downloaded. The speaker's work was done in coordination with GitHub's security lab, and they recommend that others do the same to avoid getting banned or exposing maintainers to risk. The speaker believes that as security researchers, they have an obligation to society to fix vulnerabilities and that bulk pull request generation is one of the best ways to scale their knowledge and have the highest impact.

Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.