Trail of Bits

“At Semgrep, we are thrilled to partner with Trail of Bits, whose rigorous approach to security engineering and research directly complements our focus on embedding secure coding practices within the development pipeline. Their expertise in identifying and mitigating vulnerabilities aligns with our efforts to provide precise and actionable guardrails, enabling teams to produce secure software by design.” - Daghan Altas, CRO, Semgrep Check out this blog featuring our partnership with Trail of Bits→ https://lnkd.in/gVuD2f9w #appsec #secureguardrails #partnership #security

We're announcing a new partnership with Semgrep to promote secure-by-design practices in application security. 🚀 This collaboration will: - Accelerate delivery of advanced Semgrep features to clients - Enhance vulnerability detection and mitigation - Combine our security expertise with Semgrep's static analysis capabilities 🔗 Learn more: https://lnkd.in/gVuD2f9w 📚 Our general Semgrep resources: - The Trail of Bits Testing Handbook: Semgrep Chapter https://lnkd.in/g8suSTHu - Introduction to Semgrep webinar https://lnkd.in/gJtY2DiG - How to introduce Semgrep to your organization https://lnkd.in/d3ECRPws 🔍 Beyond Semgrep: We employ and train security teams on a comprehensive suite of testing methodologies. Contact us to learn how we can strengthen your overall security strategy. https://lnkd.in/gtv5JYTb

Today is a big day for Discord as we roll out our end-to-end encryption protocol for voice and video calls! Privacy is an essential component of feeling secure as is transparency about how we've implemented E2EE in Discord. We partnered with Trail of Bits to audit our design and implementation of E2EE and you can view those publications below. A huge congratulations goes out to the team for all their hard work to make end-to-end encryption for Discord voice and video calls a reality. Discord blog: https://lnkd.in/g8XAumQK Trail of Bits design review: https://lnkd.in/gk42YqTg Trail of Bits code review: https://lnkd.in/gsiairyT

We've expanded our Trail of Bits Testing Handbook with a new chapter on cryptographic testing, covering Wycheproof and constant time analysis tooling. Essential reading for security professionals working with cryptographic implementations. 📖 https://lnkd.in/gdW7yW9t Wycheproof, a comprehensive test vector collection, helps verify cryptographic algorithm implementations against known vulnerabilities and has been used to find dozens of cryptographic vulnerabilities. Our chapter details its structure and practical application in testing harnesses Constant-time cryptography is an essential part of software security, and dozens of tools can be hard to navigate. Our new section breaks down formal, symbolic, dynamic, and statistical tools. Use these tools in your crypto code to learn how to detect and mitigate timing side channels. Our handbook now offers in-depth coverage of static analysis, web app security, fuzzing, and cryptographic testing. It's a vital resource for security engineers looking to enhance their application security practices. Stay tuned for new fuzzing sections, set to release next week. We'll explore language-specific security considerations and best practices for Ruby and Python developers

Watch Trail of Bits' Kelly Kaoudis’s presentation on PolyTracker, a general-purpose tool for efficiently performing data-flow and control-flow analysis of programs, today at ISSTA 24.

At DEF CON, Trail of Bits Principal Security Engineer Michael Brown discussed with Information Security Media Group (ISMG) how AI/ML is revolutionizing cybersecurity. They covered four critical areas transforming the field, from surpassing traditional analysis to DARPA's AI Cyber Challenge. Full interview👉 https://lnkd.in/gZydbz6N

*Accidental* cryptographic nonce reuse can compromise even otherwise-robust systems. Our blog uncovers subtle vulnerabilities in bidirectional encrypted channels and threshold signature schemes. What we found: - Global nonce counters may not prevent reuse across multiple parties - Bidirectional channels require careful key and nonce management - If two parties can send messages with the same nonce, this can leak authentication keys, allowing an eavesdropper to tamper with later messages We recommend using separate keys for each communication direction and leveraging established protocols like the Noise Framework. Cryptosystem security often hinges on seemingly minor implementation details. Robust nonce management is crucial for maintaining the integrity of encrypted communications. As the complexity of cryptographic systems grows, so does the importance of thorough security reviews. https://lnkd.in/gcCVhHvk

We're pleased to share the results of our recent comparative security assessment on authorization and access management policy languages: Cedar, Rego, and the OpenFGA modeling language. Our comparative language security analysis focused on: * Creating a threat model that broadly applies to deployments of access management policy languages * Determining the features of the evaluated languages that mitigate or worsen these threats * Assessing the mitigation maturity of the evaluated languages with respect to the threat scenarios identified in our threat model * Exploring these threat scenarios and language features within the context of common policy language deployment scenarios This AWS-sponsored assessment provides security recommendations for policy language design and offers insights for language designers and software developers using these languages for applications running in the cloud and all other environments.

It's back!! We are excited to launch our Winternship program again, which offers students a unique opportunity to contribute to cutting-edge cybersecurity projects during their academic breaks. 𝐇𝐨𝐰 𝐢𝐭 𝐰𝐨𝐫𝐤𝐬: - Propose a project or choose to work with one of our teams - Spend 3-6 weeks working on it - Publish it - Get paid $2,500! Trail of Bits is one of only a few security companies that offers this kind of opportunity for entry into real-world work! This is an awesome opportunity to work with the leader in software security with the most well-respected security researchers in the industry. Explore our past internship projects and our Winternship episode on our podcast at the links below to get a glimpse of the cool work past winterns have done! Apply at the link below and if you would like to learn more about the opportunity, feel free to DM me! Podcast: https://lnkd.in/dDVjbSk4 Blog: https://lnkd.in/dZn3jb8Z https://lnkd.in/dmkmwiPK

It's back!! We are excited to launch our Winternship program again, which offers students a unique opportunity to contribute to cutting-edge cybersecurity projects during their academic breaks. 𝐇𝐨𝐰 𝐢𝐭 𝐰𝐨𝐫𝐤𝐬: - Propose a project or choose to work with one of our teams - Spend 3-6 weeks working on it - Publish it - Get paid $2,500! Trail of Bits is one of only a few security companies that offers this kind of opportunity for entry into real-world work! This is an awesome opportunity to work with the leader in software security with the most well-respected security researchers in the industry. Explore our past internship projects and our Winternship episode on our podcast at the links below to get a glimpse of the cool work past winterns have done! Apply at the link below and if you would like to learn more about the opportunity, feel free to DM me! Podcast: https://lnkd.in/dDVjbSk4 Blog: https://lnkd.in/dZn3jb8Z https://lnkd.in/dmkmwiPK