YoVDO

Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Risk Assessment Courses Supply Chain Attacks Courses

Course Description

Overview

Explore a pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale in this 51-minute Black Hat conference talk. Delve into the growing adoption of open-source components in modern web applications, examining potential risks and mitigation strategies. Learn about various attack vectors such as typo squatting, package masking, and ownership transfer. Discover Netflix's microservice architecture and design principles for effective vulnerability management. Gain insights into building an open-source vulnerability database, vulnerability triage, and risk assessment strategies. Understand the challenges of dependency updates and explore solutions like selective resolutions and security change campaigns. Examine methods for detecting vulnerable method use and implementing better remediation techniques, including the use of Slack bots. Conclude with a discussion on organizational metrics and key takeaways for managing open-source software vulnerabilities effectively.

Syllabus

Intro
The Benefits of Open Source Software
Open source security is a strange thing
Typo squatting
Package Masking
Ownership transfer
Dangling references
Picking a target for infection
How dependencies gets infected?
How can we protect ourselves from supply chain attacks?
Netflix Microservice Architecture
Design principles for our approach
Build open source vulnerability database
Vulnerability Triage
Risk Strategy Table - Example 1
Requirements for effective vulnerability remediation
Understanding minimum version update problem
First order dependency problem
Yarn Selective dependency resolutions - Example
Dependency lock updates
Security Change Campaigns
Security Change Campaign - Blacklist
Vulnerable method use detection
Better remediation (slack bot remediation)
Questions we ask for organizational metrics
Blackhat sound bytes


Taught by

Black Hat

Related Courses

Security Principles
(ISC)² via Coursera
A Strategic Approach to Cybersecurity
University of Maryland, College Park via Coursera
FinTech for Finance and Business Leaders
ACCA via edX
Access Control Concepts
(ISC)² via Coursera
Access Controls
(ISC)² via Coursera