Tips for finding security issues in GitHub projects

Thanks for sharing! Seems like a company that does this as an automated service (for private orgs/repos) would be $.

What does the author mean about timing attacks on HMACs with Array.equals? Does HMAC leak info and is it subject to timing attacks if you HMAC on both sides before doing equality checks? Does he mean for e.g. session cookies?

Some of the links are bad but this is a great list of things to keep in mind when seeing where your work is with regards to security.