Suppose you need to incorporate crypto into your application. Or you need to write a regex to validate some user input. You might end up on Stack Overflow, where you find a code snippet that you can paste into your application. And even better, it works on the first try! But is the code correct, and is the code secure? In this talk, Jamie and Sazzadur will talk about the potential hazards of copy/pasting crypto and regexes into your software.
Resources mentioned in this session:
Slides: Coming soon
– Jamie is the maintainer of the safe-regex module on npm. More accurate super-linear regex detectors are available through the vuln-regex-detector project.
– His regex portability tools can be found in the LinguaFranca project.
– He posts “reader’s digest” summaries of his work on Medium. Here are the posts for his work on regex security and regex portability
– Sazzadur’s application-level cryptographic misuse detection paper can be found here.
– You can scan your Java code for cryptographic misuse using his CryptoGuard project.
If any of these tools or resources are helpful, please let us know!