SlideShare uma empresa Scribd logo

Are You Using Open Source Libraries Safely

Transferir como ODP, PDF
Codemotion
Codemotion

#Codemotion Rome 2018 - Do you remember Equifax? How did someone manage to steal the data of almost 200 million users? Well, Equifax simply fell victim to a vulnerability on a framework, Struts, which older developers like me remember well. But you folks, who now use cooler things like Guava or Jackson, do you feel safe? Unfortunately, you are not. After a clear introduction to the problem, with a couple of other illustrious examples, we will perform a couple of exploits together, live, and then take a look at possible prevention strategies. This talk will open your eyes to a problem you did not know you had.

Tecnologia
1 de 20
Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
`@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
`@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
`@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
`@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
`@bbossola 05/2017 - Equifax CVE-2017-5638 (yes, again!)
`@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
`@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
`@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
`@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
`@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
`@bbossola Preventive measures What a detection system would have said?
`@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
`@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
`@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
`@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
`@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
`@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Recomendados

Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Codemotion
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
How to debug machine learning call stacks
How to debug machine learning call stacksHow to debug machine learning call stacks
How to debug machine learning call stacksRogue Wave Software
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Koombea
 
SciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSamuel Lampa
 
From Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetFrom Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetPôle Systematic Paris-Region
 
How to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeHow to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeKiwamu Okabe
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 

Recomendados

Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Codemotion
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
How to debug machine learning call stacks
How to debug machine learning call stacksHow to debug machine learning call stacks
How to debug machine learning call stacksRogue Wave Software
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Koombea
 
SciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSamuel Lampa
 
From Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetFrom Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetPôle Systematic Paris-Region
 
How to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeHow to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeKiwamu Okabe
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseSteve Reiner
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USAPhdtopiccom
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingSamuel Lampa
 
How we do python
How we do pythonHow we do python
How we do pythonBrice Laurencin
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesSteven McCown
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive ExtensionsPeter Bons
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingYuri Shkuro
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)Min-Yih Hsu
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Yurii Bychenok
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebula Project
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs finalqi yang
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiVenura Athukorala
 
Port Scanning with Node.js
Port Scanning with Node.jsPort Scanning with Node.js
Port Scanning with Node.jsKevin Cedeño, CISM, CISA
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Jonas Hecht
 
Parallel js
Parallel jsParallel js
Parallel jsShams Nahid
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebula Project
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfSehz1
 
PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013Travis Oliphant
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean wayBruno Bossola
 

Mais conteúdo relacionado

Mais procurados

TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseSteve Reiner
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USAPhdtopiccom
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingSamuel Lampa
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesSteven McCown
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive ExtensionsPeter Bons
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingYuri Shkuro
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)Min-Yih Hsu
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Yurii Bychenok
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebula Project
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs finalqi yang
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiVenura Athukorala
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Jonas Hecht
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebula Project
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfSehz1
 

Mais procurados (20)

TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USA
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based Programming
 
How we do python
How we do pythonHow we do python
How we do python
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust Libraries
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive Extensions
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensions
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs final
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with Pulumi
 
Port Scanning with Node.js
Port Scanning with Node.jsPort Scanning with Node.js
Port Scanning with Node.js
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
 
Parallel js
Parallel jsParallel js
Parallel js
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming language
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdf
 

Semelhante a Are You Using Open Source Libraries Safely

Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean wayBruno Bossola
 
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Codemotion
 
There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverlessgjdevos
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Programaspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixAll Things Open
 
Leveraging open source for large scale analytics
Leveraging open source for large scale analyticsLeveraging open source for large scale analytics
Leveraging open source for large scale analyticsSouth West Data Meetup
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfAndrew Lamb
 
Building cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerBuilding cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerJacob Feala
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX GroupShuen-Huei Guan
 
openSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST NewsopenSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST Newslslezak
 
BelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserBelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserEamonn Boyle
 
2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpiQNIB Solutions
 
Eko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingEko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingJuan Berner
 
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Jaime Crespo
 

Semelhante a Are You Using Open Source Libraries Safely (20)

PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean way
 
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverless
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
 
Leveraging open source for large scale analytics
Leveraging open source for large scale analyticsLeveraging open source for large scale analytics
Leveraging open source for large scale analytics
 
PostgreSQL Development Today: 9.0
PostgreSQL Development Today: 9.0PostgreSQL Development Today: 9.0
PostgreSQL Development Today: 9.0
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
 
Node.js an Exectutive View
Node.js an Exectutive ViewNode.js an Exectutive View
Node.js an Exectutive View
 
Building cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerBuilding cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and Docker
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX Group
 
openSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST NewsopenSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST News
 
BelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserBelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the Browser
 
2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi
 
Eko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingEko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database Auditing
 
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
 

Mais de Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 

Mais de Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Último (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Are You Using Open Source Libraries Safely

  • 1. Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
  • 2. `@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
  • 3. `@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
  • 4. `@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
  • 5. `@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
  • 7. `@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
  • 8. `@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 9. `@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 10. `@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
  • 11. `@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
  • 12. `@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
  • 13. `@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
  • 14. `@bbossola Preventive measures What a detection system would have said?
  • 15. `@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
  • 16. `@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
  • 17. `@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
  • 18. `@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
  • 19. `@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
  • 20. `@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Notas do Editor

  1. Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
  2. San Francisco Metropolitan Transit Agency 2,112 systems impacted A weekend of free rides Exploit on object serialisation issue in apache commons-collections, sending crafted binary traffic over the T3 protocol Operation Rosebud: a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” in thousands of open source projects Note that the attack was in 2016 while the vulnerability was from 2015!
  3. Canada Revenue Agency Undisclosed impact (or “nothing happened, trust us”) Exploit a vulnerability in the multipart parser in Apache Struts2which allows remote attackers to execute arbitrary commands via a crafted header Zero day vulnerability
  4. Equifax, one of the three biggest credit rating agencies in the USA 143 millions US citizens impacted 44 millions UK citizens impacted Exploit (again) a vulnerability in the multipart parser in Apache Struts2 almost 3 months after it was public (remember CRA?) announced only in September
  5. logging (jokes logging and his history, about NIH syndrome) web: spring, jersey, dropwizard js: jquery, bootstrap, angular Bouncycastle: more cipher suites and algorithms, ability to read arcane formats like PEM and ASN.1 librec (more than 70 algorithms)
  6. spring is #1 on hotframeworks.com / java struts is #5 on hotframeworks.com vert.x is #6 on hotframeworks.com