Jump to navigation Jump to content

Speaker

Munawar Hafiz

Munawar Hafiz

Champion of Intelligent Code Repair and improving DevSecOps gaps

Santa Clara, California, United States

Actions

Munawar Hafiz is the founder and head of innovations of OpenRefactory, Inc., an application security company that intends to improve the way developers write secure, reliable and compliant code. Munawar had a body of work on automated bug fixing in academia which lays the foundation for OpenRefactory. He is a champion of pushing SAST bug detection tools for better precision and introducing code rewriting capabilities to fix bugs automatically.

Links

Area of Expertise

  • Information & Communications Technology

Topics

  • DevOps
  • Application Security
  • Web Application Security
  • mobile application management
  • Static Analysis
  • bug detection
  • automated bug fixing
  • DevSecOps

Sessions

Bridging the Security Tool Gap for Go

Go developers do not have efficient static analysis tools to detect critical security problems early in the development cycle. The often used "gosec" tool mostly looks into structural issues in code. This talk introduces OpenRefactory's Intelligent Code Repair (iCR) tool which provides support for Go along with its support for Java and Python. iCR finds bugs that other tools miss, finds bugs with dramatically low false warnings, and frequently synthesizes fixes for the found bugs. iCR fills in the gap in Go language's tool support to build secure applications. It allows development teams to operate with premium release velocity without compromising the quality.

Log4Shell: Where were your bug detection tools?

Industry data suggests that static analysis (SAST) tools detect only 14% of the vulnerabilities found.

The vulnerable code that caused the Log4Shell issue was introduced as a feature in 2013. In the nearly decade time interval since then, the popular and ubiquitous Log4J code underwent many security scans and code reviews. Sadly, none of the existing SAST tools detected it. This experience mirrors what happened with the Heartbleed bug. It had been introduced in the popular OpenSSL software in 2012 and was not discovered until 2014. It had also gone through many bug detection efforts, but the problem remain undetected.

Why do existing bug detection tools keep falling short? What fundamental changes need to occur within current SAST technology to find the next bug before it creates the next hot mess?

Munawar Hafiz

Champion of Intelligent Code Repair and improving DevSecOps gaps

Santa Clara, California, United States

Links

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top