BlackHat USA 2023 was in full swing this year – bustling hallways, packed briefings that discussed a variety of topics including Application Security, Cloud security, and AI/Data Science. Sonar was an integral part of this show. Here’s our recap of the event.
Keeping with the AI trend, AI-powered security products were everywhere this year. And DARPA picked the perfect week to announce their new AI Cyber Challenge where up to twenty teams that demonstrate the use of AI to detect and remedy flaws could win millions in prize money. Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden administration, insisted that "Defense always has to be one step ahead" – which we strongly agree. This is especially pertinent with the volumes of code being created with generative models and how important it is to have guard rails in place to check adherence to standards.
New innovation announcement: Sonar deeper SAST
Throughout the conference, we were highly engaged in talks and demos about how security is deeply rooted in code and how important it is for organizations to focus on their codebase health for secure software delivery – a sentiment that DevSecOps leads and CISOs completely agreed.
We launched deeper SAST at the event: an innovative technology that discovers vulnerabilities created by the interaction of user code with third-party, open-source libraries. This new advanced detection addressed issues that traditional SAST tools miss by failing to follow the flow within the library code. This technology is able to understand the context and use of third-party libraries to find deeply hidden security vulnerabilities in user code – making huge strides in the depth of security analysis at the code level.
If you are interested in learning more, you can check out the full deeper SAST announcement.
Here come the Pwnies
This year again, two of our researchers were nominated to the Pwnie Awards, a community event that "recognize[s] both excellence and incompetence in the field of information security":
- Stefan Schiller in the category Best Remote Code Execution for his meticulous bug chain in Checkmk (1, 2, 3).
- Thomas Chauchefoin in the category Epic Achievement for his work on the PHP supply chain that prevented the compromise of millions of servers (1).
Both categories had strong contenders, and although we ultimately didn’t win, it was an achievement to be even nominated. The Pwnie for the Best Remote Code Execution went to Simon Scannell—an ex-SonarSourcer now Security Engineer at Google—for his findings on the open-source antivirus software ClamAV. The Epic Achievement award went to Clément Lecigne of Google TAG for burning about 33 0-days that were being actively exploited in the wild.
We really had fun during the ceremony; thanks again to the organizers and all participants!
DEF CON
Our Vulnerability Researchers stuck around for a few more days to attend one of the oldest security conferences, DEF CON – attracting over 24,000 hackers from around the world.
On the largest track of the main event, Thomas and Paul presented the latest version of their talk on the security of the code editor Visual Studio Code in which they found critical vulnerabilities. They also included the details of bugs found by other researchers over the last years to identify the most common sources of risk in this software. The security of developer tools is of the uttermost importance as they are a target of choice for threat actors to gain access to confidential source code or sensitive internal services.
Among the conclusions, they noted that despite a common belief, previous vulnerabilities in a given software component don't mean that it should now be considered secure—they mostly hint at fragile code! It proved itself true during the preparation of the talk, where two new vulnerabilities were identified. The Sonar R&D team promptly reported them to Microsoft and will share more details once a patch is available. Stay tuned to hear more about them.
DEF CON is a vibrant community meeting where many other sub-events take place. For instance, we headed to the AppSec Village for a talk from GitHub engineers on running a successful bug bounty program like theirs. There were also the top Capture the Flag competitions DEF CON Finals and Hack-a-Sat.
Takeaways
BlackHat was a great event. We are very proud of the work we launched on deeper SAST. This innovation addresses a major gap in modern SAST solutions and will help our customers deepen their security coverage against advanced attacks.
We are also happy that the so-called "Hacker Summer Camp" still attracts a broad range of profiles, from students and hobbyists to industry veterans. The most impactful presentations are not always the technical ones, and we leave Las Vegas with a lot of food for thought.
Up next, we'll be at .NET Day on August 29, at the Open Source Summit Europe on September 19, and at Hexacon later in Oct where our teams are always looking forward to meeting you and discussing everything Clean Code. See you there! 👋