Dominique Brezinski: A Paranoid Perspective of an Interpreted Language (English)
MP3•Episodio en casa
Manage episode 153983869 series 1109073
Contenido proporcionado por Black Hat and Jeff Moss. Todo el contenido del podcast, incluidos episodios, gráficos y descripciones de podcast, lo carga y proporciona directamente Black Hat and Jeff Moss o su socio de plataforma de podcast. Si cree que alguien está utilizando su trabajo protegido por derechos de autor sin su permiso, puede seguir el proceso descrito aquí https://es.player.fm/legal.
"Interpreted, dynamically-typed, and object-oriented languages like Ruby and Python are very good for many programming task in my opinion. Such languages have many benefits from rapid, easy development to increased security against memory allocation and manipulation related vulnerabilities. However, choice of programming language alone does not guarantee the resulting software written in the language will be free of security vulnerabilities, which is an obvious point, but the sources of the potential vulnerabilities may not be obvious at all. Ruby is an elegant and powerful language that supports concepts like reflection and meta-programming. As more developers use the powerful features, more layers of the language implementation get exposed. In the presentation, I will review several vulnerabilities found in Ruby and its standard libraries, some publicly disclosed and others reported privately to the core Ruby developers. The focus of the vulnerability review is to highlight the different levels of the language implementation that need to be audited to identify vulnerabilities for a given application based on the complexity of the language features used. Though Ruby is the example language used in the presentation, the concepts extend to most interpreted languages commonly used today. Dominique Brezinski, resident technologist at Black Hat, has spent the last few years thinking about and implementing advanced intrusion detection and response at the operating system level. His background in security spans the last decade and includes extensive experience in protocol and software vulnerability analysis, penetration testing, software research and development, and operations/incident response in large-scale computing environments. Dominique's former employers include Amazon.com, Decru, In-Q-Tel, Secure Computing Corporation, Internet Security Systems, CyberSafe, and Microsoft."
…
continue reading
14 episodios