Stranger Danger - Finding vulnerabilities before they find you - Liran Tal 2021
0 likes•40 views
The document discusses finding security vulnerabilities in open source software before attackers can exploit them. It notes that open source packages often have dependencies with vulnerabilities and that vulnerabilities in popular packages can affect many users. It advocates for making security easier and more developer-friendly to integrate into the development process. It also provides best practices for open source maintainers such as having a responsible disclosure policy, scanning for vulnerabilities, and promptly releasing security fixes.
Stranger Danger - Finding vulnerabilities before they find you - Liran Tal 2021
- 1. Finding Security Vulnerabilities Before They Find You! Stranger Danger @liran_tal
- 2. Fun
- 4. Fun + T-Shirt + Stickers
- 5. Node.js Security WG Liran Tal OWASP NodeGoat author of Essential Node.js Security & O’Reilly’s Serverless Security Developer Advocate @liran_tal
- 9. @liran_tal How much do you really know about your dependencies ?
- 10. @liran_tal “Dependency on China and other adversary countries for some of our most critical supply chains threatens to undermine the trustworthiness of critical technologies and components that constitute and connect to cyberspace.” source: https://www.solarium.gov/public-communications/supply-chain-white-paper ● Protecting supply chains from compromise ● Establishing a Center for Open-Source Software Security
- 12. @liran_tal
- 15. @liran_tal some popular packages reach more than 100,000
- 19. @liran_tal
- 21. @liran_tal Jan 2015 rimrafall Jan 2017 crossenv May 2018 getcookies Jul 2018 eslint-scope Nov 2018 event-stream
- 22. @liran_tal May 2018 getcookies Parse HTTP headers for cookie data
- 23. @liran_tal May 2018 getcookies Parse HTTP headers for cookie data or does it...?
- 24. @liran_tal
- 25. @liran_tal
- 28. @liran_tal sequelize SQL injection vulnerability 428,791 weekly downloads Fixed in 5.15.1 (August 2019) source: https://snyk.io/vuln/npm:sequelize
- 29. @liran_tal yarn MiTM security vulnerability 992,512 weekly downloads Fixed in 1.17.3 (July 2019) source: https://snyk.io/vuln/npm:yarn
- 30. @liran_tal markdown-to-jsx Cross-site Scripting vulnerability 897,115 weekly downloads Fixed in 6.10.1 (May 2019) source: https://snyk.io/vuln/npm:markdown-to-jsx
- 31. @liran_tal from dependency vulnerabilities to application vulnerabilities
- 32. @liran_tal Application Security is Challenging!
- 33. @liran_tal Application Security is Challenging! delivery 🚀
- 34. @liran_tal Top 10 US Computer Science Programs Carnegie Mellon MIT Stanford University of California, Berkeley University of Illinois, Urbana-Champaign Cornell University of Washington Georgia Tech Princeton University of Texas, Austin source: http://tiny.cc/o98gdz
- 35. @liran_tal Top 10 US Computer Science Programs
- 36. @liran_tal Understanding the impact of security fixes
- 37. @liran_tal
- 38. @liran_tal
- 39. @liran_tal Attackers are targeting open source one vulnerability == many victims
- 40. @liran_tal What if security was developer-friendly easier actionable source: https://snyk.io/vuln/npm:yarn
- 44. @liran_tal Best Practices for Open Source Security
- 45. @liran_tal Have a responsible disclosure policy Enable 2FA, protect your users Scan often and fix your dependencies Release security fixes as non-major https://snyk.io/blog/ten-npm-security-best-practices
- 47. Please Enjoy Responsibly Open Source is Awesome @liran_tal