
Tips for finding security issues in GitHub projects - geekrax
https://gist.github.com/EdOverflow/922549f610b258f459b219a32f92d10b
======
latchkey
Thanks for sharing! Seems like a company that does this as an automated
service (for private orgs/repos) would be $.

~~~
twelve40
Just have to make sure you don't get sued into oblivion by Veracode or some
other IP-obsessed dinosaur...

------
_asummers
What does the author mean about timing attacks on HMACs with Array.equals?
Does HMAC leak info and is it subject to timing attacks if you HMAC on both
sides before doing equality checks? Does he mean for e.g. session cookies?

~~~
spydum
[https://codahale.com/a-lesson-in-timing-
attacks/](https://codahale.com/a-lesson-in-timing-attacks/)

~~~
_asummers
So okay, if you're using HMAC where the user can provide the HMAC, this would
be an issue (like session cookies), but it the user can only provide preimage
(as in e.g. encrypting database column and wanting lookup) then this wouldn't
be an issue, I don't think.

~~~
bitexploder
Yes. In situations where a hash is modifiable by the user and you do string
comparison the issue exists. It isn't solely a problem for MACs.

------
reconbot
Some of the links are bad but this is a great list of things to keep in mind
when seeing where your work is with regards to security.

