Скачать или смотреть #HITB2024BKK

Supply chain security conversation is booming these days after attacks like log4j came to the scene.

In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)

This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.

We would be presenting our research done on a large scale after in-house scanning on:

Around 2 Million+ NPM Packages. (almost all publicly available at the time of research)
About 60,000 WordPress Plugins. (almost all publicly available at the time of research)
Ruby Gems (almost all publicly available at the time of research)

We would be demonstrating the numbers and impact to an audience in this talk and we would also be providing ways to prevent this and automation to integrate in your own ci/cd pipelines to prevent such disasters from happening

===

Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.

He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
Served as a Moderator @ OWASP 2022 Global AppSec APAC.
Invited to ThreatCon and Balccon as a speaker.
Featured in “”The Register”” for an initial workaround for the NPM dependency attacks.
Ex-Chapter Leader @ OWASP
Ex-Top Rated freelancer (Information security category) on Upwork
Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523
Certified Ethical Hacker

---

Senior security researcher and OSCP (Offensive security Certified Professional) – security researcher @ HackerOne and Bugcrowd. – Google security Hall of Fame – 2017 – Twitter security Hall of Fame – 2017 – Microsoft security Hall of Fame – 2017 – Extensive research on WordPress Security. – Won HackFest CTF competition. – Developer of GemScanner.py and npm scanner for account hijacking.