...How do you go about fully understanding what cryptography you have, how it is used and if it's good or bad? This was the question we started to ask ourselves and set about trying to answer using static analysis tools such as GitHub's CodeQL.
Given how we all rely heavily on open-source projects, we set about scanning the top 1000 GitHub open-source projects to identify insecure cryptographic algorithms. We used GitHub's CodeQL multi-repository variant analysis to build a cryptographic bill of materials (CBOM) for each project. The CBOM will list all of the cryptographic algorithms that are used in the project, as well as their security status, and more importantly, help us identify all of the places where insecure cryptographic algorithms are used in the projects....
By: Mark Carney , Daniel Cuthbert , Niroshan Rajadurai , Benjamin Rodes
Full Abstract and Presentation Materials:
www.blackhat.com/eu-23/briefi...