New Way of Envisioning Security in the Dependencies

This ad is not shown to multipass and full ticket holders
JSNation US
JSNation US 2025
November 17 - 20, 2025
New York, US & Online
See JS stars in the US biggest planetarium
Learn More
In partnership with Focus Reactive
Upcoming event
JSNation US 2025
JSNation US 2025
November 17 - 20, 2025. New York, US & Online
Learn more
Bookmark
Rate this content

The vulnerabilities in open source ecosystem are increasing like wild fire. It is important to address those. I will be speaking about issues and how to fix them with demo. I will pick up examples from React ecosystem as well.

This talk has been presented at React Summit 2022, check out the latest edition of this React Conference.

FAQ

Vandana Verma Sahgal is a security relations leader at Snyk, a software security company. She is also the chair for OWASP (Open Web Application Security Project) and runs initiatives like InfoSec Girls, InfoSec Diversity, and Kids to promote cybersecurity understanding.

The main concerns with smart devices include the uploading and storage of data, the downloading of potentially malicious patches, and the risk of these devices being hacked to track user actions or steal information.

Developers play a crucial role in cybersecurity, especially in addressing issues related to new supply chain vulnerabilities and ensuring that software security is maintained through careful management of dependencies and third-party libraries.

The Equifax breach was a significant security incident where a vulnerability reported by Apache was not promptly addressed by some companies, including Equifax, leading to a massive data breach. This underscores the importance of early detection and response to vulnerabilities.

OWASP, or the Open Web Application Security Project, is a community-driven organization that aims to improve application security. It provides resources, tools, and forums for developers and security professionals to enhance their understanding and practices related to cybersecurity.

The SolarWinds attack involved a third-party library that was maliciously added to a software update, which was then distributed to SolarWinds customers. This led to widespread security breaches across numerous organizations.

Organizations can protect themselves from third-party dependency risks by regularly updating their software, monitoring for vulnerabilities, using tools like OWASP Dependency Check to scan their systems, and educating their teams on security best practices.

Lock4Shell is a vulnerability in the Apache Log4j logging library that significantly impacted many organizations, including major companies. It highlighted the risks associated with third-party components and the need for vigilant security measures.

Developers should respond to new vulnerabilities by promptly applying security patches, conducting thorough testing to ensure compatibility, and staying informed about the latest security threats and mitigation strategies.

Vandana Verma Sehgal
Vandana Verma Sehgal
21 min
21 Jun, 2022

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Today's Talk explores the importance of understanding security issues and dependencies in software development. It emphasizes the role of developers in cybersecurity incidents and the need to detect and respond to vulnerabilities early. The Talk also discusses the risks associated with third-party dependencies and the impact of security breaches on organizations. Additionally, it highlights the significance of addressing security concerns and the potential consequences of exploiting vulnerabilities and exfiltrating data.

1. Introduction to Security Issues and Dependencies

Short description:

Today I'm going to be talking about a new way of envisioning security issues and dependencies. I will be sharing my experience and understanding about those issues. I'm currently a security relations leader at Snyk, contributing to open-source projects in cybersecurity. We want everything to be automated, cool, and helpful. But what happens when the data is being uploaded somewhere? These smart devices are getting trained to deliver content at the earliest, but they may also be tracking everything you say.

Hi everyone, good morning, good afternoon, good evening, wherever you are. Today I'm going to be talking about a new way of envisioning security issues and dependencies. I'm sure some of you know about it, some of you don't know about it. So today I will be sharing my experience and my understanding about those issues.

My name is Vandana Verma Sahgal, and about myself, about my background, I'm currently a security relations leader at Snyk, which is a software security company. When I'm not working at Snyk, I generally contribute to open-source projects in cybersecurity and part of certain conferences like BlackHat. So I'm currently the chair for OWASP, which is Open Web Application Security Project, a community driven to motivate people to understand application security. I also run InfoSec Girls, InfoSec Diversity and Kids, so that we can have cybersecurity understanding for everyone. That's about myself.

Now, while I talk about what security issues are, what exactly do you see in this picture? This is something which is more of a futuristic image of what we really want. We want everything to be automated. We want everything to be super cool. We want everything to be different and helpful for us. I want it. I want smart TVs to smart devices, to smart users, everything smart at home. So I just need to play a button, and everything is good. But there's one thing which is there. What happens when the data is being uploaded somewhere? And that's natural. We've heard and even we've seen the data is getting uploaded somewhere. Why do we say that? Because the point comes is anything that you speak to these smart devices that actually get it trained. Because you want everything at the earliest. They're getting trained to deliver the content at the earliest. So, data is being somewhere, stored somewhere. Now, I am sure these devices are being updated somewhere. So, there'll be a patch which might be downloaded. Now, when that patch gets downloaded, there are times where you would feel that there's something fishy. Or sometimes you don't even get to know that there are malicious things which are downloaded on your system. So, what do you do and what happens then? That they might be tracking you. Anything and everything that you're speaking might be getting tracked. Is it cool? No, it is not.

2. Security Issues and Dependencies

Short description:

It is somewhat scary. But the point comes how should we actually deal with them? Developers play a very, very crucial role in cybersecurity incidents. Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. All my websites are on open source content. Are there any issues in those dependencies? What happens when people start attacking developer tooling? In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. When there's a certain vulnerability which gets reported, what we really need to do is understand what the vulnerability's all about. What happened with Equifax? February 14th, Apache notified that there are certain issues.

It is somewhat scary. But the point comes how should we actually deal with them? So, developers play a very, very crucial role in cybersecurity incidents. And especially when we talk about these new supply chain issues which are there, the whole landscape which is being changed, and the way we have started to care about software security.

Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. When in somebody said I want to help you out, and hire the maintainers, but then instead they added a crypto miner, and nobody even knew about it. So you're working and something is running in the background. So how much exactly do you know about what is in your system?

Now, I'll tell you about myself. All my websites are on open source content. I'm using whatever is there on the internet. Now comes, are there any issues in those dependencies? Maybe, so this is the image that I have in mind. This is all my app. But, actual thing is that this is the only code, the red dot in the middle, which is the code, which is developed by me or maybe my friends, maybe the company itself. But what is rest? The whole rest is the open source code, third party dependencies, third-party libraries and whatnot. How exactly you're going to be taking care of that? What happens when people start attacking developer tooling?

Now, being in security, I might not use Visual Studio Code or any IDE very often. But can it happen? If I'm a developer, I wouldn't be using day in and day out. I would be using, and even for that matter, being in security, I want to learn about a lot of new things, so I learn these things. That's what happened. In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. Of many accounts, but they diligently reported that. It could have gone in any wrong direction. When somebody gets the house key, they can do anything. For example, you've got four doors in the house, then there are four windows. Now, you're going on vacation, you've closed all the doors, but what happened to the windows? Maybe there's one window which is open, which you did not realize and somebody gets into your house and takes all the stuff. It's crazy, and that can happen with anyone, and that's when we need to understand what's inside our code.

Now, there are certain lessons that we learnt from the Equifax breach that happened a few years back. Now, why we are still talking about it, because it actually envisions one very important aspect, that when there's a certain vulnerability which gets reported, after that, what we really need to do is we need to understand what the vulnerability's all about. Can we fix it or not? And if it's critical, how soon can we address it? What happened with Equifax? February 14th, Apache notified that there are certain issues. There was a release of fix, people started exploiting the exploit. And even though some companies already updated it, there are some companies which could not. One of them was Equifax.

3. State Breach and Organization-wide Response

Short description:

Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization.

Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization. Trust me, it took us good two, three days to understand where we are, where do we stand. Everyone was getting crazy. Do we have this version? Do we use Apache on this application? And a lot of time, what happens? You don't even know that you are using Apache or maybe this any third-party version, which is vulnerable in your ecosystem. Why? Because we sometimes tend to miss in updating CMDBs.

4. Supply Chain Risks and Third-Party Dependencies

Short description:

We need to make sure that we understand these issues and the supply chain risks. There's one library, one dependency, that can lead to big issues. Companies are spending more and more money on these. We need to track and understand third-party dependencies. There have been cases where maintainers remove libraries, causing disruptions. In 2016, there was an issue with Collar and Faker libraries. These issues can come in any form and impact enterprises. Lock for shake is a popular logging platform written in Java.

Now, when we say that, the most important aspect comes is that, are we able to maintain it regularly? Maybe, maybe not. So what shall we do with that? We need to make sure that we understand these issues and on top of it, these supply chain risks. Are they new? I don't think so they're new, because they have been there for a very, very long time. And it started getting into the limelight after the SolarWinds attack, where there was a third-party library which was added as part of our DLL, which was added as part of the package, which the package was shipped to everyone and everyone was using it.

Now, this is a big concern, which means, there's one library, one dependencies, which is there as part of your code that can lead to big issues. And on top of it, the point comes, how are we trying to address that? We are still seeing these issues every year in a year. Companies, organizations are spending more and more money on these.

Now, let me tell you something very interesting. There are times when maintainers, themselves remove the libraries. These are some of the cases wherein somebody removed the package and the whole packet started breaking and everybody got crazy. Now, this also does this one important thing when we're using third-party dependencies to open-source content, it's important we track it and we understand if something happens to them, how are we going to deal with that? And let's not go back this very very long, which is 2016. Just two months back, or three months back, there was an issue with Collar and Faker. These are two major libraries as part of the Node.js ecosystem. The maintainer was the same for both. Now, this maintainer removed the whole package from one of the libraries for one of the ecosystem and for the other dependency, the person added a loop condition. Now, what do you do in that case wherein I have a package because I want a new update now that has a loop condition and it's breaking my whole code? Isn't that scary? And that brings us that even these issues can come in any form, in any part as part of the registries. So what do these registries contain? Could be malicious issues, could be vulnerabilities, could be whatnot. And these issues are not only just for the ecosystems which are smaller, but they're impacting enterprises as well. Medium business units and everyone.

This brings us to the point wherein this lock for a shake. I'll tell you my own story. In December, I was on vacation in the first week. I was like, oh, I've not taken vacation for a very long time. We've been at home, so let's take a vacation. So we went to travel. Now, during the similar time, lock for shake happened. What is that? I didn't even know, but then I start seeing messages and everyone started talking about it. So I wanted to understand what it is. So lock for shake is basically a very popular logging platform. Apache-based logging platform written in Java.

5. Security Impact and Vulnerabilities

Short description:

People use these platforms very easily because they're easy to use. But what happens when it impacts organizations? How do you deal with that? Organizations were vulnerable due to the use of the JNDEI framework. The attack highlighted the importance of understanding third-party components and the risks they pose. OWASP's top 10 risks list reveals regulatory compliance and cloud security control failures. Dependency on third-party SaaS applications can lead to data breaches and other security issues. A demo showcasing a vulnerable Java exploit is presented.

And people use these platforms very easily because they're easy to use. But what happens when it impacts huge amounts of organizations from Cesar to Amazon to IBM to any company, even sneak, we'll be talking about it.

Now, when that happens, how do you deal with that? And what was the part of, what was the issue in there? So anyone who was using a lab server and was using JNDEI, they were vulnerable because it was a very highly or very useful framework a lot of organizations were using. And they were trying to figure out whether they were vulnerable or not.

Now, organizations, so people, everyone was talking about it, sharing their views on social media, Twitter, LinkedIn on their own blogs. And this whole attack made us realize that if this small, small issue, which is there in the code, it can be a big concern, even if one library. They were people, there were organizations who were actually not vulnerable, but they were using third-party components which were making them vulnerable. Would you like that? I wouldn't like that. So I would like to know what I have and what I don't have. What I have, what is the list of it? Whether I'm using third-party vendors or not? Which is very, very important.

Also, I'll tell you something interesting about OWASP. So OWASP top 10 releases top 10 list of risks every three years. So it came up with the top 10 risks and injection, which is supposed to be a 10, dropped down to third, and suddenly I saw these injection issues and they're becoming more and more prevalent. This is Lock4Shell, then many other vulnerabilities came and it just doesn't stop there. Why? Because it was actually the indication that there are regulatory compliance failures. We're talking about cloud. So there are cloud security control failures which are there. Sometimes intentional. Sometimes we don't even get to know. And these third party SaaS applications security failures because we are too much dependent on them, which also leads us that if something happens, anyone can deploy malwares and ransomwares, which can lead to data exfiltration, to integrity issues, to availability issues and whatnot. I wouldn't want that.

Now let me actually show you something very interesting. So here I have actually created a demo. Now what it says, I have it on my local system. I've not installed this vulnerable version of Java on my system, but it is in a system, is it a different folder? Now, what I have is I have created a Java group where I have this exploit. In the exploit, for you to see, I need to have a server running. If there's no vulnerable server, how would you get attacked? How would you get a vulnerable? So I have a log for shell server running. Now, this server is running on local host, which is HTTP server 8000. And there's an LDAP server, vulnerable Jindi server, which is running on port 9999. Now this whole thing is running.

6. Exploiting Vulnerabilities and Exfiltrating Data

Short description:

Now, I need a client so that I can make it vulnerable. I will try and connect it with the server. It actually downloaded a malicious file and made it vulnerable. So let's see if this file exists or not. Let me remove this file completely. So it does not exist. Now let me connect it to the vulnerable server. It is gonna connect to the server. This file now exists here. If I am a malicious person, I know that this server is vulnerable. Now, when there's a website and it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. What happens when a hacker tries to exfiltrate confidential data? That can be scary for an organization.

Now, I need a client so that I can make it vulnerable. So here is the client. And simply what I'll do is, I will try and connect it with the server. So let me execute this in Java. Now, when I connect from client to server, there is a file which does not exist, temporary pawn. But when I ran it and I connected it to the server, it actually downloaded a malicious file and made it vulnerable, which is, let's see if this file exists or not. So let's see.

So if you see this file exists, now you must be thinking, how can that happen? So let me do this. Let me remove this file completely. So let's see if this file exists or not now. Oh, sorry, let me go ahead. If you see, oh, I need to remove first. Now I'm gonna go ahead and show you if it exists or not. So it does not exist. Now the file does not exist. Now let me connect it to the vulnerable server. Here I'm gonna execute Java, and it is gonna connect to the server. Now while it's running, it's trying to connect to that Djinni server, and this file now exists here, which it says that it's just a small file that I have downloaded in a temporary folder. If I am malicious person, I know that this server is vulnerable. For example, right now we're talking about React.js Summit. I'm sure they must have a website. Now, when there's a website and it's vulnerable, I know it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. So anyone who connects to that server gets downloaded these malicious files. It could be a ransomware. Oh, nothing should happen because people are more aware, especially the development teams that are becoming more and more aware about security issues, at least more than us. What I can see, I have a lot of friends working in development teams and they are pro-security people because they understand security better than me because they know the ecosystem well, day in and day out.

Now, the simple issues. It took me a few seconds to exploit it. What happens when a hacker tries and exfiltrate the data, which is very, very confidential and nobody should know about it. That can be scary for an organization.

7. Understanding Security Issues and Impact

Short description:

Even though popular frameworks are used, there are still important security issues to understand and address. It is crucial to have a comprehensive list of these issues and be aware of the components used in our applications. As a security analyst, I used to encounter these issues regularly, but now it affects everyone. This highlights the significance of addressing security concerns and acknowledging their impact.

Now, what it takes us, that even though these popular frameworks are there, there are certain issues which need to understand. We need to have a list of all of these issues. And more on top of it, we should know what we have in our house. So we tried and hack the app. Generally, I do it after this, but I did it early to set the context. And on top of it, what we used to see, that this is the life of a security analyst. On Thursday night, Friday night, you would have these issues. Well, let me tell you, this is not the case anymore. When the zero rate drops, it impacts everyone from a security analyst to anyone and everyone. And that also tells us that these security issues are real.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
Top Content
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
Workshop
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
Workshop
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.