Hacking Upstream: Finding a 0-Day in an OpenSSH Key Parser Library

The text discusses the difference between application security and software supply chain security in the context of a DevOps process. It highlights an example where the author needed a library to parse OpenSSH keys for their free secret scanning service, leading them to conduct an in-depth security review of openssh_key_parser. The author explains how they used static analysis and fuzzing tools to guide manual code review, ultimately discovering a vulnerability that could lead to key leakage if exploited by an attacker who can modify the first field length in the key file or read exception logs. The text emphasizes the importance of paying due care for maintaining open source software and the need for better ways to secure the software supply chain.