Chetan Conikee

ShiftLeft Blog - Medium

An Oxymoron : Static Analysis of a Dynamic Language (Part 5)Overcoming challenges using Code Property GraphsFrom the previous post we explored the idea of applying taint flow analysis upon an untyped and asynchronous event handling paradigm.Representing ProgramsWe need an appropriate representation of programs to carry out static analysis. As we ... Read More

An Oxymoron : Static Analysis of a Dynamic Language (Part 4)Taint Flow challenges in a world of untyped and async event handlingFrom the previous post we concluded that type-checking at compile-time can help enforce better practices and reduce the likelihood of vulnerabilities.Many such tools rely on static analysis to approximate ... Read More

An Oxymoron : Static Analysis of a Dynamic Language (Part 3)TypeScript to the rescueFrom the previous post we concluded that JavaScript contains a number of features that makes it a challenge to analyze and detect bugs in:JavaScript is an object-based language that uses prototype objects to model inheritance. This is ... Read More

An Oxymoron : Static Analysis of a Dynamic Language (Part 2)From client side JavaScript to server side NodeJsNow that you have reached here after reading the prior post , lets switch contexts and examine the server side javascript landscape.JavaScript has also become increasingly popular for platforms beyond the browser i.e ... Read More

An Oxymoron : Static Analysis of a Dynamic Language (Part 1)What are the characteristics of a Dynamic Language (JavaScript)?Benjamin Pierce classifies programming languages along two axes:whether they are safe or unsafe and whether they are statically or dynamically checkedA safe language is a language which protects its abstractions. For instance, ... Read More

Security researchers at Citadelo revealed an EL (Expression Language) based Injection vulnerability that enabled an authenticated actor to send a malicious payload (via API calls or intercepted Web request) that led toprivilege escalation — “Organization Administrator” (tenant account) to “System Administrator” (hypervisor)cross tenancy lateral movementsensitive infrastructure information disclosurepassword and credentials to further ... Read More

The rise of GitOps comes from the industry’s increased adoption of Kubernetes. As organizations and teams shift towards Kubernetes, scaling their cluster management practices becomes imperative as teams and workloads grow in size. This is where GitOps comes into the picture as it aims to bring together Git + Kubernetes ... Read More

Patch your Tomcat and JBoss instances to protect from GhostCat vulnerability (CVE-2020–1938 and CNVD-2020–10487)Credits : https://www.chaitin.cn/Identified as “GhostCat” and tracked as CVE-2020–1938 / CNVD-2020–10487, the flaw could let remote attackers (without authentication) read the content of any file on a vulnerable web server (or servlet container) and obtain sensitive configuration ... Read More

Evolving Threat series — Mining patterns to assess Insider Attacks (Part 3)In the previous post we examined few of the published insider attacks over the current decade. In this post we attempt to mine, extract and classify patterns associated with these threats with intent to automate insider misuse detection methods.The article considers ... Read More

Evolving Threat series — Insider Attacks case studies (Part 2)In the last post we touched on formal definition and risks associated with Insider Threats.In this post we will examine the top X insider threats that were reported over the last decade (in no particular order)Siemens Contractor Sentenced for Writing ‘Logic Bombs’Siemens Contractor ... Read More