Jump to navigation Jump to content

Speaker

Munawar Hafiz

Munawar Hafiz

Champion of Intelligent Code Repair and improving DevSecOps gaps

Santa Clara, California, United States

Actions

Munawar Hafiz is a leading expert in software supply chain security and the founder of OpenRefactory, Inc. Building on a career of pioneering academic research in automated bug fixing, Munawar now focuses on providing Actionable Risk Intelligence for the modern software ecosystem. His vision is to move the industry beyond mere detection by leveraging that foundational expertise in code repair to bridge the gap between identifying risks and deploying fixes.

Links

Area of Expertise

  • Information & Communications Technology

Topics

  • DevOps
  • Application Security
  • Web Application Security
  • mobile application management
  • Static Analysis
  • bug detection
  • automated bug fixing
  • DevSecOps

Sessions

Bridging the Security Tool Gap for Go

Go developers do not have efficient static analysis tools to detect critical security problems early in the development cycle. The often used "gosec" tool mostly looks into structural issues in code. This talk introduces OpenRefactory's Intelligent Code Repair (iCR) tool which provides support for Go along with its support for Java and Python. iCR finds bugs that other tools miss, finds bugs with dramatically low false warnings, and frequently synthesizes fixes for the found bugs. iCR fills in the gap in Go language's tool support to build secure applications. It allows development teams to operate with premium release velocity without compromising the quality.

Log4Shell: Where were your bug detection tools?

Industry data suggests that static analysis (SAST) tools detect only 14% of the vulnerabilities found.

The vulnerable code that caused the Log4Shell issue was introduced as a feature in 2013. In the nearly decade time interval since then, the popular and ubiquitous Log4J code underwent many security scans and code reviews. Sadly, none of the existing SAST tools detected it. This experience mirrors what happened with the Heartbleed bug. It had been introduced in the popular OpenSSL software in 2012 and was not discovered until 2014. It had also gone through many bug detection efforts, but the problem remain undetected.

Why do existing bug detection tools keep falling short? What fundamental changes need to occur within current SAST technology to find the next bug before it creates the next hot mess?

Munawar Hafiz

Champion of Intelligent Code Repair and improving DevSecOps gaps

Santa Clara, California, United States

Links

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top