We start with the article about “Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned” and explore its range of issues from ethics to securing huge, distributed software projects.
It’s hardly novel to point out that bad actors can attempt to introduce subtle and exploitable bugs. More generally, we’ve also seen impacts from package owners who have revoked their code, like NPM leftpad, or who transfer ownership to actors who later on abuse the package’s reputation, as we’ve seen in Chrome Plugins.
So, what could have been a better research focus? In the era of more pervasive fuzzing, how much should we continue to rely on people for security code review?
Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
For additional resources please visit:
Deceptive Diffs From Subversive Submitters – ASW #148 Featuring: John Kinsella (https://www.linkedin.com/in/jlkinsel), Mike Shema (https://www.linkedin.com/in/zombie). We start with the article about “Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned” and explore its range of issues from ethics to securing huge, distributed software projects.
Read the research paper at https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdfFull Episode Show Notes
Deceptive Diffs From Subversive Submitters
John Kinsella - Chief Architect at Accurics
John Kinsella is the Chief Architect for Accurics
Mike Shema - Product Security Lead at Square
Mike Shema is the Product Security Lead of Square
Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!
Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!