Trail of Bits

If you missed our Burp Suite Webinar with James Kettle or want to rewatch it: 📺 Recording: https://buff.ly/4d70ZYr 📄 Slides: https://buff.ly/3A38wJc We covered many topics about Burp Suite, including underutilized features, best techniques, how to optimize your setup, and so much more! ➕ we had an excellent Q&A session where we answered all your hot topic questions like: ❓Any plans to integrate GPT in the scanner? ❓Any burp tool to test for complex XSS flows? ❓What is the best way to test for web cache deception attacks?

It's been a couple of years, but I'll be attending DEFCON for the third time next week in Vegas! If you are attending as well and would like to meet up to talk all things cyber or the cool work we are doing at Trail of Bits, send me a DM or text. The Trail of Bits team will also compete in AIxCC from the 9th to the 11th, showcasing the Cyber Reasoning System we developed! Best of luck to all the participating teams. Also, our very own ML/AI Security Engineer, Suha S. Hussain, will present her talk "Incubated Machine Learning Exploits: Backdooring ML Pipelines Using Input-Handling Bugs" in the Main Track on Sunday, so make sure to check it out! Look forward to seeing everyone next week!

The mighty Trail of Bits audits Homebrew using Semgrep. Kudos to Homebrew team for their transparency and taking software security seriously. 👏

We want to share some highlights from #Web3SecSummit where Petr Korolev led a security pannel discussion with 4 industry leaders. We discussed: • The boundaries of applicability for each method • How clients should decide what needs to be done for their projects • The bottlenecks in these approaches Panel participants included: Josselin Feist from Trail of Bits - Representing one of the strongest teams in the industry, thank you Josselin for sharing your deep expertise on the intricacies of fuzzing, offering invaluable insights! Josef Gattermayer from Ackee Blockchain Security - Pushing the boundaries of security, Josef is dedicated to advancing fuzzing algorithms and integrating them with traditional audits for comprehensive solutions. Raoul S. from Runtime Verification Inc - Bridging the gap between fuzzing and formal verification, Raoul combines the best of both worlds to develop robust security solutions. Mooly Sagiv from Certora - An OG in the formal verification field, Mooly is renowned for his critical perspective and pioneering contributions to the approach, which we find very impressive! Thank you to everyone who made this conversation possible, really grateful for the opportunity to connect with like-minded experts and talk about the things that truly matter for our work! #web3 #security #pannel

Join our webinar tomorrow for an in-depth look at Burp Suite featuring special guest James Kettle. He'll share his favorite features, tips, and insights on upcoming Burp releases! ⌚ July 31st at 12 PM ET! Register here 👇 https://buff.ly/3WpODVu

Homebrew, the missing package manager for macOS, produces the binaries that millions of users download daily. Last summer, we completed an audit of Homebrew’s CI/CD pipeline and brew. Our audit revealed some non-critical issues that could have allowed attackers to load executable code unexpectedly and modify binary builds. By addressing these vulnerabilities, we help maintain the trust and reliability that Homebrew users depend on daily. This audit was sponsored by the Open Tech Fund as part of their mission to secure vital internet infrastructure. We collaborated closely with the Homebrew maintainers, whose expertise was invaluable throughout the process. Check out our blog for a deep dive into our findings:

We're hiring on our Blockchain team! Open Positions: Security Engineer II, Blockchain https://buff.ly/3Wu0nGo Senior Security Engineer, Blockchain https://buff.ly/3WoTYMN ⚒️ What You'll Do: Review blockchain code & smart contracts for vulnerabilities Advise clients on robust security practices Develop and enhance tools like Slither, Echidna & Medusa Lead innovative blockchain security research 🌟 Why Trail of Bits: Empowered Living: Competitive salary, performance-based bonuses, fully-paid insurance, 401(k) match, and flexible vacation. Nurturing New Beginnings: Parental leave and relocation assistance. Work & Life Enrichment: Home office stipend, learning & development budget, and company-sponsored celebrations. And more!

Shoutout to Trail of Bits for supporting #EuroRust24! 🦀✨ Your contribution helps make this event even better. Learn more about Trail of Bits: trailofbits.link ➡️ eurorust.eu #rustlang

One of our Trail of Bits blockchain engineers asked our cryptography team 10 key questions to uncover some of the mysteries behind the field. In this comprehensive blog, our experts explore the intricacies of polynomial commitment schemes, explore the security nuances of elliptic curve cryptography, and shed light on advanced topics like fully homomorphic encryption and zero-knowledge proofs. Whether you're looking to understand the fundamentals or seeking insights into the latest cryptographic techniques, this blog is a must-read for anyone in the cybersecurity or blockchain space. Here are the questions: 1. Can you outline the most common commitment schemes employed for SNARKS? 2. Hashing is ubiquitous, yet few people grasp its inner workings. Can you clarify popular constructions (e.g., MD, Sponge) and highlight their differences? 3. Elliptic curve cryptography (ECC) is even more enigmatic and considered a major “black box” in cryptography. Numerous pitfalls and technical attacks exist. Can you shed light on some theoretical assaults on elliptic curves, like Weil descent and the MOV attack? 4. As technology ramps up and the threat of quantum computers looms over us, efforts have been made to create post-quantum cryptosystems, like lattice-based cryptography and isogeny-based cryptography. Could you provide an overview of these systems? 5. The Fiat-Shamir heuristic is widely used throughout the field of interactive oracle proofs. What are some interesting things to note about this heuristic and its theoretical security? 6. There have recently been notable advancements in the PLONK Interactive Oracle Proof system. Could you elaborate on what’s being improved and how? 7. We often hear about zkEVMs and projects building them, like Scroll, Polygon, and zkSync. Can you explain the various design decisions involved in building one? (Type 1/2/3, etc.) 8. We currently have zkEVMs in production, with Scroll, zkSync, and Polygon having mainnet deployments. How many more improvements can we make to these zkEVMs to unlock consumer grade proving/verification? 9. Can you discuss secret sharing schemes like Shamir’s secret sharing, their potential use cases, and common mistakes you’ve observed? 10. Folding schemes for recursive proofs have become really popular lately. Could you give a rough summary on how they work?

Calling out all the security enthusiasts, our very own Reetik Rajan is sharing stage with Josselin, Engineering Director at Trail of Bits. Mark your calendars for an exciting AMA: 📅 26th July, 8:30pm IST . RSVP: https://lnkd.in/gDy5GzaV