Director, Cyber Security at Laburity
7
Talks Delivered
5
Events Spoken At
5
Countries Visited
4
Years Speaking
7
Total Talks Given
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.
He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
Recent security research and CVEs include - CVE-2022-2848 & CVE-2022-25523
Served as a Moderator @ OWASP 2022 Global AppSec APAC.
Researched and Speaker at MCTTP, Germany - HITB, Thailand - OOTB, Indonesia and many more.
Areas of Expertise
Presentation Types
Audience Types
Supply chain security conversation is booming these days after attacks like log4j came to the scene.
In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)
This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.
We would be presenting our research done on a large scale after in-house scanning on:
We would be demonstrating the numbers and impact to an audience in this talk and we would also be providing ways to prevent this and automation to integrate in your own ci/cd pipelines to prevent such disasters from happening
In this session, we will be discussing two of our prominent tools that have emerged from extensive research and development in the cybersecurity space - Seekrets and our open-source NPM Account Takeover Detector.
The leakage of secrets in code or packages is another critical security concern. When sensitive information, such as private keys or credentials, is exposed in code, it can lead to unauthorized access to systems, data breaches, or the compromise of entire applications. This type of vulnerability can have long-lasting consequences, including financial losses and damage to customer trust.
Seekrets is a secret scanning tool that we have developed to help organizations safeguard their codebases. During our previous research, we identified a serious problem, secrets like private API tokens, passwords, and other sensitive information being leaked within popular programming languages and platforms like NPM, JS, Ruby, and WordPress. This issue was a focal point of our talks at prestigious conferences such as Black Hat, HITB, and MCTTP.
Seekrets was created to help tackle this issue by scanning codebases for over 33 different types of secrets leakages. The tool can scan any NPM package, codebase in a ZIP file, or package.json for sensitive data exposure. We will showcase the tool's functionality, share our research stats, and discuss its practical benefits.
Our open-source NPM account takeover detector on the other hand is a tool designed to address vulnerabilities in the NPM ecosystem. We've worked extensively on identifying and mitigating NPM account takeover risks, which were featured at major conferences like Black Hat. This tool is built to integrate into CI/CD pipelines, allowing developers to check whether the NPM packages they're using are vulnerable to account takeover. The open-source nature of the tool ensures it is freely available for anyone to use, making it an accessible solution to this pressing issue. During the presentation, we'll demonstrate how the tool works, the problem it addresses, and provide insights from our research.
The impact of NPM account takeover through domain expiration can be significant. A domain
expiration allows attackers to gain control over a package’s publishing rights, leading to potential
malicious code injections, which can harm both developers and users relying on these
packages. This can cause data breaches, loss of reputation, and widespread exploitation of the
affected software.
Supply chain security conversation is booming these days after attacks like log4j came to the scene. In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)
This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all. We are presenting our research done on a large scale after in-house scanning on:
- Around 2 Million+ NPM Packages. (almost all publicly available at the time of research)
- About 60,000 WordPress Plugins. (almost all publicly available at the time of research)
- Ruby Gems (almost all publicly available at the time of research)
We will demonstrate the numbers and the impact and will provide ways to prevent this and automation to integrate in your own ci/cd pipelines to prevent such disasters from happening.
Supply chain security conversation is booming these days after attacks like log4shell came to the scene.
In this in-house research, we have conducted research on publicly available open-source assets like JS Packages, Python Packages, and WordPress Plugins to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc.
This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.
