Discovering Shadow Vulnerabilities in Popular Open-Source Projects - A Journey Through Reverse-Fuzzing

Explore the hidden world of "shadow vulnerabilities" in open-source libraries through a 30-minute conference talk presented by security experts Guy Kaplan and Gal Elbaz. Delve into the concept of libraries that are insecure by design and pose significant risks to organizations. Learn about a newly discovered vulnerable code pattern in a widely used open-source library and the subsequent development of a tool that analyzed over 100,000 repositories to identify and prioritize potential vulnerabilities. Examine case studies of high-profile targets like Apache Cassandra, Prometheus, and PyTorch, and understand the challenges of scaling triage, validating exploitation, and building reliable infrastructure. Gain insights into the critical remote code execution vulnerability found in Apache Cassandra and its implications for database-as-a-service providers. Discuss the responsibility gap between project owners, library owners, and users in addressing these vulnerabilities. Increase your awareness of shadow vulnerabilities and their potential impact on software security.