Securing low level code: NGINX rift

Finding vulnerabilities in low level code (C, C++, and beyond) is uniquely hard and remains a major, under defended attack surface. In this live session, Kal and Leo will walk through how depthfirst’s automated detection techniques surface real, remotely exploitable issues in low level code at scale.

As a concrete example, we’ll share a full technical breakdown of a critical heap buffer overflow vulnerability in NGINX, one of the world’s most widely deployed web servers. You’ll see how depthfirst’s vulnerability discovery team uncovered it, analyzed exploitability, and drove it through remediation.

We’ll cover the full arc, from discovery to exploitability analysis to remediation, and what it looks like when that entire loop runs at machine speed.

What you’ll learn

• Why low level languages like C remain a rich, under explored attack surface and how automated analysis changes that
• How depthfirst built a purpose built scanner to identify vulnerabilities in low level languages
• How depthfirst found a high severity, remotely exploitable heap overflow in NGINX’s URI rewrite logic
• How depthfirst assesses real exploitability and our validation methods to surface what’s actually worth fixing
• How remediation flows directly into developer workflows once a vulnerability is confirmed

Who should attend

• AppSec professionals and security engineers
• CISOs and technical security leaders assessing supply chain and infrastructure risk
• Anyone responsible for applications running NGINX
• Security Professionals interested in AI detection and exploit