New Way of Envisioning Security in the Dependencies

Rate this content
Bookmark

The vulnerabilities in open source ecosystem are increasing like wild fire. It is important to address those. I will be speaking about issues and how to fix them with demo. I will pick up examples from React ecosystem as well.

This talk has been presented at React Summit 2022, check out the latest edition of this React Conference.

FAQ

Vandana Verma Sahgal is a security relations leader at Snyk, a software security company. She is also the chair for OWASP (Open Web Application Security Project) and runs initiatives like InfoSec Girls, InfoSec Diversity, and Kids to promote cybersecurity understanding.

The main concerns with smart devices include the uploading and storage of data, the downloading of potentially malicious patches, and the risk of these devices being hacked to track user actions or steal information.

Developers play a crucial role in cybersecurity, especially in addressing issues related to new supply chain vulnerabilities and ensuring that software security is maintained through careful management of dependencies and third-party libraries.

The Equifax breach was a significant security incident where a vulnerability reported by Apache was not promptly addressed by some companies, including Equifax, leading to a massive data breach. This underscores the importance of early detection and response to vulnerabilities.

OWASP, or the Open Web Application Security Project, is a community-driven organization that aims to improve application security. It provides resources, tools, and forums for developers and security professionals to enhance their understanding and practices related to cybersecurity.

The SolarWinds attack involved a third-party library that was maliciously added to a software update, which was then distributed to SolarWinds customers. This led to widespread security breaches across numerous organizations.

Organizations can protect themselves from third-party dependency risks by regularly updating their software, monitoring for vulnerabilities, using tools like OWASP Dependency Check to scan their systems, and educating their teams on security best practices.

Lock4Shell is a vulnerability in the Apache Log4j logging library that significantly impacted many organizations, including major companies. It highlighted the risks associated with third-party components and the need for vigilant security measures.

Developers should respond to new vulnerabilities by promptly applying security patches, conducting thorough testing to ensure compatibility, and staying informed about the latest security threats and mitigation strategies.

Vandana Verma Sehgal
Vandana Verma Sehgal
21 min
21 Jun, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Today's Talk explores the importance of understanding security issues and dependencies in software development. It emphasizes the role of developers in cybersecurity incidents and the need to detect and respond to vulnerabilities early. The Talk also discusses the risks associated with third-party dependencies and the impact of security breaches on organizations. Additionally, it highlights the significance of addressing security concerns and the potential consequences of exploiting vulnerabilities and exfiltrating data.

1. Introduction to Security Issues and Dependencies

Short description:

Today I'm going to be talking about a new way of envisioning security issues and dependencies. I will be sharing my experience and understanding about those issues. I'm currently a security relations leader at Snyk, contributing to open-source projects in cybersecurity. We want everything to be automated, cool, and helpful. But what happens when the data is being uploaded somewhere? These smart devices are getting trained to deliver content at the earliest, but they may also be tracking everything you say.

Hi everyone, good morning, good afternoon, good evening, wherever you are. Today I'm going to be talking about a new way of envisioning security issues and dependencies. I'm sure some of you know about it, some of you don't know about it. So today I will be sharing my experience and my understanding about those issues.

My name is Vandana Verma Sahgal, and about myself, about my background, I'm currently a security relations leader at Snyk, which is a software security company. When I'm not working at Snyk, I generally contribute to open-source projects in cybersecurity and part of certain conferences like BlackHat. So I'm currently the chair for OWASP, which is Open Web Application Security Project, a community driven to motivate people to understand application security. I also run InfoSec Girls, InfoSec Diversity and Kids, so that we can have cybersecurity understanding for everyone. That's about myself.

Now, while I talk about what security issues are, what exactly do you see in this picture? This is something which is more of a futuristic image of what we really want. We want everything to be automated. We want everything to be super cool. We want everything to be different and helpful for us. I want it. I want smart TVs to smart devices, to smart users, everything smart at home. So I just need to play a button, and everything is good. But there's one thing which is there. What happens when the data is being uploaded somewhere? And that's natural. We've heard and even we've seen the data is getting uploaded somewhere. Why do we say that? Because the point comes is anything that you speak to these smart devices that actually get it trained. Because you want everything at the earliest. They're getting trained to deliver the content at the earliest. So, data is being somewhere, stored somewhere. Now, I am sure these devices are being updated somewhere. So, there'll be a patch which might be downloaded. Now, when that patch gets downloaded, there are times where you would feel that there's something fishy. Or sometimes you don't even get to know that there are malicious things which are downloaded on your system. So, what do you do and what happens then? That they might be tracking you. Anything and everything that you're speaking might be getting tracked. Is it cool? No, it is not.

2. Security Issues and Dependencies

Short description:

It is somewhat scary. But the point comes how should we actually deal with them? Developers play a very, very crucial role in cybersecurity incidents. Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. All my websites are on open source content. Are there any issues in those dependencies? What happens when people start attacking developer tooling? In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. When there's a certain vulnerability which gets reported, what we really need to do is understand what the vulnerability's all about. What happened with Equifax? February 14th, Apache notified that there are certain issues.

It is somewhat scary. But the point comes how should we actually deal with them? So, developers play a very, very crucial role in cybersecurity incidents. And especially when we talk about these new supply chain issues which are there, the whole landscape which is being changed, and the way we have started to care about software security.

Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. When in somebody said I want to help you out, and hire the maintainers, but then instead they added a crypto miner, and nobody even knew about it. So you're working and something is running in the background. So how much exactly do you know about what is in your system?

Now, I'll tell you about myself. All my websites are on open source content. I'm using whatever is there on the internet. Now comes, are there any issues in those dependencies? Maybe, so this is the image that I have in mind. This is all my app. But, actual thing is that this is the only code, the red dot in the middle, which is the code, which is developed by me or maybe my friends, maybe the company itself. But what is rest? The whole rest is the open source code, third party dependencies, third-party libraries and whatnot. How exactly you're going to be taking care of that? What happens when people start attacking developer tooling?

Now, being in security, I might not use Visual Studio Code or any IDE very often. But can it happen? If I'm a developer, I wouldn't be using day in and day out. I would be using, and even for that matter, being in security, I want to learn about a lot of new things, so I learn these things. That's what happened. In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. Of many accounts, but they diligently reported that. It could have gone in any wrong direction. When somebody gets the house key, they can do anything. For example, you've got four doors in the house, then there are four windows. Now, you're going on vacation, you've closed all the doors, but what happened to the windows? Maybe there's one window which is open, which you did not realize and somebody gets into your house and takes all the stuff. It's crazy, and that can happen with anyone, and that's when we need to understand what's inside our code.

Now, there are certain lessons that we learnt from the Equifax breach that happened a few years back. Now, why we are still talking about it, because it actually envisions one very important aspect, that when there's a certain vulnerability which gets reported, after that, what we really need to do is we need to understand what the vulnerability's all about. Can we fix it or not? And if it's critical, how soon can we address it? What happened with Equifax? February 14th, Apache notified that there are certain issues. There was a release of fix, people started exploiting the exploit. And even though some companies already updated it, there are some companies which could not. One of them was Equifax.