MONITORING REPOSITORIES FOR FUN AND PROFIT presented at Ruxcon 2012

by Louis Nyffenegger,

Tags: Security

Summary : Most of today\'s tools perform code review as a capture of the current state of an application. However with new development methodologies aka "agile", this methodology is less and less effective. Monitoring repository as an alive thing, can allow a security team to get a better idea of what is being fixed and what vulnerabilities are being created. We will see how some simple techniques can be used to quickly detect patches and new vulnerabilities.
Furthermore, the opensource community provides a huge number of projects that can potentially have new vulnerabilities, silent patches and any other dirty secrets. We will see how it\'s possible to monitor a large number of projects and see what metrics and information we can get from projects.
This talk will mainly focus on web projects regarding the detection of issues and patches but the methodologies can easily be used for any projects.

Louis Nyffenegger: Snyff is a French security consultant working in Melbourne. He specialises in web security and tries not to waste his time on mouse-over-click-jacking or any other ridiculous web vulnerabilities. He also enjoys playing with commercial web scanners and lolling at how shit they are. His hobbies include drinking Fat Yak, mirc32.exe, yelling at strangers and wearing Speedos.