Open source modules, maven and python packages, ruby gems and especially npm, are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your users data.
The security risk from vulnerable open source binaries is well understood. While still often mishandled, there are good practices for tackling it, and industry trends like Serverless & PaaS all but eliminate it.
Vulnerabilities in open source code packages, however, get practically no air time. These packages, pulled from the likes of npm, RubyGems and Maven, are just as prevalent, outdated and hard to manage. More importantly, they’re just as vulnerable!
In this talk I’ll share details and demonstrate several vulnerabilities in popular packages. For each issue, I’ll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.