Skip to content
View JLLeitschuh's full-sized avatar

Sponsors

@nuvs

Organizations

@diffplug @gwizard @WPIRoboticsProjects @wpilibsuite @GradleWeaver @GitHub-Stars

Block or report JLLeitschuh

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
JLLeitschuh/README.md

ReadMe Twitter_Post Jonathan_Leitschuh DevStory

Hi There!

My name is Jonathan Leitschuh and I'm a Senior Software Security Researcher for the Open Source Security Foundation Project Alpha Omega focused on finding and reporting OSS vulnerabilities. I'm also a GitHub Star, GitHub Security Ambassador, & the was the first ever Dan Kaminsky Fellow @ HUMAN Security. I'm also a speaker at confrences like ShmooCon, BSidses CT, BSides LV, Black Hat, & DEFCON. I'm fortunate to have been featured by GitHub's README project!

If you'd like to get in touch, the best way is to DM Me on Twitter @JLLeitschuh or direct message me in the Open Source Security Foundation Slack Channel.


Hi, I'm Jonathan Leitschuh


Public Vulnerability Research

Note: The recording with the ⭐ next to them are what I beleive to be the best version of any given talk or story.

Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

Abstract

Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!

The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.

When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.

This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

Recordings

News Coverage

Zoom 0-Day: How not to handle a Security Vulnerability Report

Abstract

Come hear the hilarious story of Zoom’s biggest security scandal, a bombshell 0-Day vulnerability, from the one who dropped it.

On July 8th, 2019, a 0-Day vulnerability was dropped on Zoom that disclosed how anyone could join a victim’s Mac to a video call simply by visiting a malicious website. As if that wasn’t enough, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. The icing on the cake? A full blown RCE vulnerability.

From Zoom’s original claims that it was “not a vulnerability”, what happened behind the scenes, to their eventual fix, join to hear what we as security professionals can learn from this debacle. The press might have covered the disclosure, but the post-disclosure story is even more astonishing than anyone would ever expect.

Animations

Recordings

News Coverage

This kinda got out of hand. 😆

Other Stuff

Pinned Loading

  1. WPIRoboticsProjects/GRIP WPIRoboticsProjects/GRIP Public

    Program for rapidly developing computer vision applications

    Java 379 107

  2. ktlint-gradle ktlint-gradle Public

    A ktlint gradle plugin

    Kotlin 1.5k 163

  3. gradle/gradle gradle/gradle Public

    Adaptable, fast automation for all

    Groovy 17k 4.8k

  4. wpilibsuite/allwpilib wpilibsuite/allwpilib Public

    Official Repository of WPILibJ and WPILibC

    C++ 1.1k 611

  5. bulk-security-pr-generator bulk-security-pr-generator Public

    Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub.

    Python 34 14

  6. kotlin-guiced kotlin-guiced Public

    Convenience Kotlin API over the Google Guice DI Library

    Kotlin 18 6