The event-stream incident illustrates how attackers can inject malware into popular open source packages by gaining maintainer trust.
Applications are composed of 80-90% open source code, making dependency security a critical concern for developers.
A command injection flaw in a popular VS Code repository shows how CI/CD pipelines and development tools can become attack vectors.
A cross-site scripting (XSS) vulnerability in a popular markdown parser remained unpatched for a year, highlighting the risks of relying on unmaintained packages.
Weak credentials on maintainer accounts, long-hidden bugs like the sudo vulnerability, and maintainers unpublishing their own packages (colors.js, faker.js) create significant ecosystem risks.
Log4Shell allows remote code execution (RCE) by manipulating log messages, demonstrating how a ubiquitous logging library can become a critical security failure.
This demo shows how an Express.js application's XSS sanitization can be bypassed by passing an array instead of a string, causing a type confusion vulnerability.
A demonstration of a remote code execution (RCE) vulnerability in an older version of Apache Struts, similar to the one that led to the Equifax breach.
A step-by-step walkthrough of exploiting the Log4Shell vulnerability by setting up a malicious server and a vulnerable client to achieve remote code execution.
To manage modern security risks, organizations should adopt a 'shift left' mindset and empower developers through a structured security champions program.
The speaker answers audience questions about social engineering, the role of QA in security, and her personal career path from developer to cybersecurity leader.
37:36Vandana Verma
32:55Natale Vinto
46:36Andrew Martin
2:08:06Antonio de Mello & Amine Abed
24:01Jackie
27:10Sonya Moisset
29:47Thomas Chauchefoin & Paul Gerste
27:32Jasmin Azemović
Jobs that call for the skills explored in this talk.
Vesterling Consulting GmbH
Schwarz Dienstleistung KG