View analytic
Wednesday, October 18 • 13:10 - 13:35
Stranger Danger: Addressing Security Risk in Open Source Code

Log in to save this to your schedule and see who's attending!

Feedback form is now closed.

Open source modules, maven and python packages, ruby gems and especially npm, are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your users data.

The security risk from vulnerable open source binaries is well understood. While still often mishandled, there are good practices for tackling it, and industry trends like Serverless & PaaS all but eliminate it.

Vulnerabilities in open source code packages, however, get practically no air time. These packages, pulled from the likes of npm, RubyGems and Maven, are just as prevalent, outdated and hard to manage. More importantly, they’re just as vulnerable!

In this talk I’ll share details and demonstrate several vulnerabilities in popular packages. For each issue, I’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.

avatar for Danny Grander

Danny Grander

Security Research, Snyk
Danny Grander is a veteran security researcher and the cofounder of Snyk.io, where he works on open source security and leads Snyk’s security research. Previously, Danny was the CTO of Gita and a lead researcher and developer for a few startups. Danny’s CTF team, Pasten, won... Read More →

Wednesday October 18, 2017 13:10 - 13:35
Main Auditorium