#HITBGSEC 2017 KEYNOTE 1 - Finding Vulns And Malware In Open Source Code At Scale - Mark Curphey

Open-source has taken over the world of software and now makes up the majority of code found in everything from phones to banks, but reusable code also means reusable vulnerabilities and bad actors are increasingly exploiting vulnerabilities in open-source code and now inserting malware upstream into libraries used by millions of developers.

Software security in an open-source world needed a fundamentally different approach to finding security issues than the traditional tools and techniques used downstream by developers or researchers. SourceClear has developed a domain specific language called the Security Graph Language and will be open-sourcing the language specification and a reference architecture later this year so that security researchers can start hunting for bugs in open-source at scale.

Mark Curphey will explain the growth in open-source, the vulnerabilities and malware we are seeing today and the demo some attacks like web app ransomware we will see in the near future. With the help of Dr Asankhaya Sharma they will then demo the Security Graph Language and live hunt for new bugs across the Java library ecosystem.

===

I grew up in the UK where I earned a Masters Degree in Information Security specializing in cryptography. After working at investment banks in the City of London, I moved to the States in 2000 to join Internet Security Systems (now part of IBM). I ran software security at Charles Schwab, founded OWASP and joined Foundstone as an early employee, a company later sold to McAfee. After a sabatical in France I ran the security tools team at Microsoft and the MSDN Subscriptions business before founding SourceClear in early 2014.