This course aims to teach learners a practical approach to automate the discovery and eradication of open-source software vulnerabilities. The learning outcomes include understanding the risks associated with open-source components in web applications, identifying vulnerabilities at scale, and implementing strategies for effective remediation. The course covers skills such as building an open source vulnerability database, vulnerability triage, risk assessment, and security change campaigns. The teaching method involves a talk that describes real-world examples and provides insights into Netflix's approach to handling open-source vulnerabilities. The intended audience for this course includes software developers, security professionals, and individuals interested in cybersecurity and open-source software security.
Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities
Overview
Syllabus
Intro
The Benefits of Open Source Software
Open source security is a strange thing
Typo squatting
Package Masking
Ownership transfer
Dangling references
Picking a target for infection
How dependencies gets infected?
How can we protect ourselves from supply chain attacks?
Netflix Microservice Architecture
Design principles for our approach
Build open source vulnerability database
Vulnerability Triage
Risk Strategy Table - Example 1
Requirements for effective vulnerability remediation
Understanding minimum version update problem
First order dependency problem
Yarn Selective dependency resolutions - Example
Dependency lock updates
Security Change Campaigns
Security Change Campaign - Blacklist
Vulnerable method use detection
Better remediation (slack bot remediation)
Questions we ask for organizational metrics
Blackhat sound bytes
Taught by
Black Hat
Related Courses
-
Sharks in the Water - Open Source Component Risk and Mitigation
-
Why You Should Care About Open Source Supply Chain Security
-
Open Source Supply Chains and Consumption Risk Governance - Containers & Trust
-
Learn how Microsoft safeguards customer data
-
Securing Open Source Software - End-to-End, at Massive Scale, Together
