Hacker News new | comments | show | ask | jobs | submit login
Tips for finding security issues in GitHub projects (gist.github.com)
115 points by geekrax 11 months ago | hide | past | web | favorite | 7 comments

Thanks for sharing! Seems like a company that does this as an automated service (for private orgs/repos) would be $.

Just have to make sure you don't get sued into oblivion by Veracode or some other IP-obsessed dinosaur...

What does the author mean about timing attacks on HMACs with Array.equals? Does HMAC leak info and is it subject to timing attacks if you HMAC on both sides before doing equality checks? Does he mean for e.g. session cookies?

So okay, if you're using HMAC where the user can provide the HMAC, this would be an issue (like session cookies), but it the user can only provide preimage (as in e.g. encrypting database column and wanting lookup) then this wouldn't be an issue, I don't think.

Yes. In situations where a hash is modifiable by the user and you do string comparison the issue exists. It isn't solely a problem for MACs.

Some of the links are bad but this is a great list of things to keep in mind when seeing where your work is with regards to security.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact