Podchaser Logo
Episode from the podcastAppSec Builders

Solving Race Condition Vulnerabilities with Tanya Janca

Released Wednesday, 14th October 2020
 1 person rated this episode
In our inaugural episode, we sit down with Tanya Janca, founder of WeHackPurple, to discuss her expertise in solving for Race Condition vulnerabilities during her career as both a software engineer and application security professional. We spend some time talking through the most common types of Race Conditions, review a few real-world hacks and vulnerabilities, and present actionable tips security and technology teams can make to solve this class of vulnerability. 
About our Guest:
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.Founder: We Hack Purple (Academy, Community and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday
About the vulnerabilities discussed:
The Starbucks infinite credit race condition: https://www.schneier.com/blog/archives/2015/05/rac… (https://www.schneier.com/blog/archives/2015/05/rac…)
The Gitlab ‘merge any pull request’ race condition:
https://www.cvedetails.com/cve/CVE-2019-11546/ (https://www.cvedetails.com/cve/CVE-2019-11546/)
The Dirty Cow vulnerability: https://dirtycow.ninja/ (https://dirtycow.ninja/) with the research paper: http://www.iiisci.org/journal/CV$/sci/pdfs/SA025BU… (http://www.iiisci.org/journal/CV$/sci/pdfs/SA025BU…)
The Spurious DB race condition, impacting all major operating systems: https://www.triplefault.io/2018/05/spurious-db-exc… (https://www.triplefault.io/2018/05/spurious-db-exc…)
Tools discussed:
Safe Rust race condition guarantees: https://doc.rust-lang.org/nomicon/races.html#data-… (https://doc.rust-lang.org/nomicon/races.html#data-…)
GoLang race detector: https://blog.golang.org/race-detector (https://blog.golang.org/race-detector)
Testing race conditions on REST APIs: https://github.com/TheHackerDev/race-the-web (https://github.com/TheHackerDev/race-the-web)
Links for Tanya:
Tanya's book Alice and Bob Learn Application Security: https://www.amazon.com/dp/1119687357/ (https://www.amazon.com/dp/1119687357/)
https://shehackspurple.ca/ (https://shehackspurple.ca)
https://twitter.com/shehackspurple (https://twitter.com/shehackspurple)
https://www.youtube.com/shehackspurple (https://www.youtube.com/shehackspurple)  
https://dev.to/shehackspurple (https://dev.to/shehackspurple)
https://medium.com/@shehackspurple (https://medium.com/@shehackspurple
https://www.youtube.com/shehackspurple (https://www.youtube.com/shehackspurple)  
https://na01.safelinks.protection.outlook.com/?url… (https://www.twitch.tv/shehackspurple)
https://www.linkedin.com/in/tanya-janca (https://www.linkedin.com/in/tanya-janca)
https://github.com/shehackspurple/ (https://github.com/shehackspurple/)
https://www.slideshare.net/TanyaJanca/ (https://www.slideshare.net/TanyaJanca/)
Tanya mentioned she’s also a professional musician, you can find her...