Skip to main content

Ming Yi Ang

Ming is a security researcher who is passionate about building security automation tools to aid the discovery of various security issues. Through the discovery from the tools, he has since made contributions to various open-source projects by responsibly disclosing the vulnerability findings he encounters from his research.

Posts by Ming Yi Ang
  • Discovering Malicious Packages Published on npm

    Sightings of malicious packages on popular open source repositories (such as npm and RubyGems) have become increasingly common: just this year, there have been several reported incidents. This method of attack is frighteningly effective given the widespread reach of popular packages, so we've started looking into ways to discover malicious packages to hopefully preempt such threats. The problem… READ MORE

Stay up to date on Application Security

  • Do you trust your builds, or build what you trust?

    We gave a talk on detecting malicious builds with Build Inspector, Do you trust your builds, or build what you trust?, at Null Singapore a week ago. In this blog post, we provide a summary of the talk which involves describing the dangers of trusting Open-Source and the steps you can take to detect these threats. Pretext The rapid increase of Open-Source Library Growth is seen in the past few… READ MORE

  • How we found exploitable zero-days in the open-source GlassFish server with the Security Graph Language

    We have long had a thesis that when free open-source software projects are forked into commercial versions, then the free open-source version no longer gets the same subsequent level of security updates as the commercial version. Phrased into a question, are the free versions of open-source core products left out in the cold? Earlier this year we were asked by a customer if we could apply our… READ MORE

  • Un-patched for months, could Cisco 0-day lead to another round of WannaCry? - SourceClear

    For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities between Cisco 0-Day and EternalBlue - the exploit that fueled WannaCry - but note the differences… READ MORE

  • Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think

    Four weeks ago, we blogged about the issue with Rails' built-in anti-CSRF mechanism, protect_from_forgery, where we calculated that over 50,000 Ruby developers were impacted by Cross-site Request Forgery (CSRF) attacks. Recap The default configuration for Rails' ActionController::Base does not automatically include the anti-CSRF mechanism, protect_from_forgery. There is an open PR in Rails made… READ MORE

  • Over 50,000 Ruby developers impacted by CSRF attacks

    There's been some buzz recently about protect_from_forgery, Rails' built-in anti-CSRF mechanism, and how it's not secure by default. Having found, evaluated, disclosed, and tried to fix issues with it in the past, we decided to perform a thorough evaluation of how severe the problem was. A slice of RubyGems The first step was to identify the relevant segment of RubyGems. We've discussed the risks… READ MORE

  • Millions of program builds vulnerable to Man-in-the-Middle attacks

    According to a blog post made on 18f, it is a standard to ensure all federal websites and web services to serve only via secured connections (HTTPS). Yet in its recent study, about 6.1% of the domains do not have HTTPS enabled. Package managers have, in the past, deprecate certain commands/features that defaults to HTTP. RubyGems has deprecated source :rubygems in Gemfile due to the insecurity of… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.