Play all

Intro

The Benefits of Open Source Software

Open source security is a strange thing

Typo squatting

Package Masking

Ownership transfer

Dangling references

Picking a target for infection

How dependencies gets infected?

How can we protect ourselves from supply chain attacks?

Netflix Microservice Architecture

Design principles for our approach

Build open source vulnerability database

Vulnerability Triage

Risk Strategy Table - Example 1

Requirements for effective vulnerability remediation

Understanding minimum version update problem

First order dependency problem

Yarn Selective dependency resolutions - Example

Dependency lock updates

Security Change Campaigns

Security Change Campaign - Blacklist

Vulnerable method use detection

Better remediation (slack bot remediation)

Questions we ask for organizational metrics

Blackhat sound bytes

Description:

Explore a pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale in this 51-minute Black Hat conference talk. Delve into the growing adoption of open-source components in modern web applications, examining potential risks and mitigation strategies. Learn about various attack vectors such as typo squatting, package masking, and ownership transfer. Discover Netflix's microservice architecture and design principles for effective vulnerability management. Gain insights into building an open-source vulnerability database, vulnerability triage, and risk assessment strategies. Understand the challenges of dependency updates and explore solutions like selective resolutions and security change campaigns. Examine methods for detecting vulnerable method use and implementing better remediation techniques, including the use of Slack bots. Conclude with a discussion on organizational metrics and key takeaways for managing open-source software vulnerabilities effectively. Read more

Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities

Black Hat

Add to list

#Conference Talks #Black Hat #Information Security (InfoSec) #Cybersecurity #Business #Corporate Governance #Risk Management #Risk Assessment #Supply Chain Attacks