Craig Young, Principal Security Researcher at Tripwire, unpacks the modern security researcher’s toolkit to reverse engineer complex designs.

Apple Podcast logo - Right to privacy

Spotify: https://open.spotify.com/show/5UDKiGLlzxhiGnd6FtvEnm
Stitcher: https://www.stitcher.com/podcast/the-tripwire-cybersecurity-podcast
RSS: https://tripwire.libsyn.com/rss
YouTube: https://www.youtube.com/playlist?list=PLgTfY3TXF9YKE9pUKp57pGSTaapTLpvC3

Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice-president of product management and strategy at Tripwire. Today, I am joined by one of our security researchers, Craig Young.

Craig Young: Thank you for having me. It’s a pleasure to be here with you.

On the Basics of Reverse Engineering

TE: Today, we’re here to talk a little bit about vulnerability discovery and vulnerability research. Can you start by just talking a little bit about what that process looks like?

CY: So, we’re talking about a situation in which a user input is not going to be handled in the way that it should have safely been handled. When we’re looking for vulnerabilities, it’s all about thinking about the different places where less trustworthy users can provide input to a system or a program and then trying to identify what types of inputs might go into this process that are going to corrupt it, cause it to give some results that were not the original intent of the developer and undermine the security of the application.

TE: When someone’s sitting behind a keyboard and typing into a form or website, but there are obviously other types of input that matter, is it strictly input coming from a user, or is that a sort of catch-all term for any types of input that a program could accept?

CY: It’s a catch-all term. Sometimes, there’s not necessarily going to be a human user, but it will be some kind of consumer or a system that’s involved with (Read more...)