Ming Yi Ang

Ming Yi Ang

Ming is a security researcher who is passionate about building security automation tools to aid the discovery of various security issues. Through the discovery from the tools, he has since made contributions to various open-source projects by responsibly disclosing the vulnerability findings he encounters from his research.

Stay up to date on Application Security

Posts by Ming Yi Ang
  • Discovering Malicious Packages…
    | By Ming Yi Ang

    Sightings of malicious packages on popular open source repositories (such as npm and RubyGems) have become increasingly common: just this year, there have been several reported incidents. This method of attack is frighteningly effective given the widespread reach of popular packages, so we've…

    Read Article
     
  • How we found exploitable zero-days in…
    | By Ming Yi Ang

    We have long had a thesis that when free open-source software projects are forked into commercial versions, then the free open-source version no longer gets the same subsequent level of security updates as the commercial version. Phrased into a question, are the free versions of open-source core…

    Read Article
     
  • Un-patched for months, could Cisco 0-…
    | By Ming Yi Ang

    For the last few weeks, we all got our ears torn out by story after story of WannaCry this, WannaCry that. Yet, not long ago, there was a similar exploit - Cisco 0-Day, CVE-2017-3881 - whose impact could have caused a similar outcry had it been more successful. We highlight the initial similarities…

    Read Article
     
  • Rails GEMS Vulnerable to CSRF Show…
    | By Ming Yi Ang

    Four weeks ago, we blogged about the issue with Rails' built-in anti-CSRF mechanism, protect_from_forgery, where we calculated that over 50,000 Ruby developers were impacted by Cross-site Request Forgery (CSRF) attacks. Recap The default configuration for Rails' ActionController::Base does not…

    Read Article
     
  • Over 50,000 Ruby developers impacted by…
    | By Ming Yi Ang

    There's been some buzz recently about protect_from_forgery, Rails' built-in anti-CSRF mechanism, and how it's not secure by default. Having found, evaluated, disclosed, and tried to fix issues with it in the past, we decided to perform a thorough evaluation of how severe the problem was. A slice of…

    Read Article
     
  • Millions of program builds vulnerable…
    | By Ming Yi Ang

    According to a blog post made on 18f, it is a standard to ensure all federal websites and web services to serve only via secured connections (HTTPS). Yet in its recent study, about 6.1% of the domains do not have HTTPS enabled. Package managers have, in the past, deprecate certain commands/features…

    Read Article