Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 213

9 min • 17 november 2023

Overview

As we ease back into regular programming, we cover the various activities the team got up to over the past few weeks whilst away in Riga for the Ubuntu Summit and Ubuntu Engineering Sprint.

Goings on in Ubuntu Security Community

Ubuntu Security team at the Ubuntu Summit (00:48)

Andrei publishes The Open Source Fortress (01:41)

  • https://discourse.ubuntu.com/t/the-open-source-fortress-is-now-live/40183
  • Back in August, Andrei put out a call for topic suggestions for a vulnerability discovery workshop that he was putting together, with a particular focus on open source code bases
  • He presented this in a 90 minute session 2 weeks ago on the final day of the Ubuntu Summit
  • He covered a number of topics with a focus on practical application of each using dedicated tooling, e.g.:
    • Threat modelling with OWASP Threat Dragon
    • Secret scanning with Gitleaks
    • Dependency scanning with OSV-Scanner
    • Linting with Bandit and flawfinder
    • Code querying with Semgrep
    • Fuzzing with AFL++
    • Symbolic execution with KLEE
  • So not only did participants learn about a given technique, such as what fuzzing is etc, but also how they can easily apply it with standard tooling to find real world problems
  • Due to the success of the workshop, he has decided to make the contents publicly available
  • Designed to be worked through in your own time

UbuCTF at the Ubuntu Engineering Sprint (04:15)

  • Emi, Nishit, Andei, Amir and David from the team organised and held the first UbuCTF at the Engineering Sprint the week after the Ubuntu Summit
  • Organised around a story of cyber crime fighting against a criminal gang in Riga
  • 5 days, 26 challenges, 64 players
  • Challenges covered a variety of topics
    • Networking
    • Web
    • Crypto(graphy)
    • Reverse engineering
    • Pwning
    • Vulnerability Patching
  • Gave experience using tools like Wfuzz, Pwntools, cutter / rizin / radare2, Ghidra, Wireshark, insomnia and more
  • 457 flags submitted (110 correct), 47 patches submitted
  • Result was very close - won by Anton Troyanov (Senior Engineer on the MAAS team)
  • Ubuntu Security team members were barred from competing as we had previously worked on these challenges - BUT shout out to Sudhakar Verma who just joined our team only 4 weeks ago and so didn’t have any prior experience with this CTF - managed to solve every single challenge 💪💪💪

Get in contact

Kategorier
Förekommer på
00:00 -00:00