This document discusses securing open source software and dependencies. It notes that open source usage and the number of npm packages have exploded, but open source software is not inherently secure or insecure. It warns that vulnerabilities in widely used open source projects like Heartbleed, Shellshock, and Logjam have impacted many users. Approximately 30% of Docker images contain known vulnerabilities. Similarly, around 14% of npm packages have known vulnerabilities that have been found in users' applications. It encourages finding, fixing, and preventing vulnerabilities in open source dependencies to help secure applications.
Report
Share
Report
Share
1 of 45
Download to read offline
More Related Content
Guy Podjarmy - Secure Node Code
1. Join the conversation #devseccon
Guy Podjarny, Snyk
@guypod
Secure Node Code
a.k.a. Stranger Danger
2. snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall (AppShield), Dynamic/Static Tester (AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker
3. snyk.io
Open Source Is Awesome
Share Your Work
Reuse What Others Built
Focus on Creating Your Own New Thing
13. snyk.io
Just as Hacker-Friendly…
1. Vulnerabilities already found, and found often
2. Used everywhere - Millions downloads/month, in many orgs
3. Hard to update, due to deps chains, breakage & scattered use
41. snyk.io
OSS packages takeaway
• Find vulnerabilities
• Be sure to test ALL your applications
• Fix vulnerabilities
• Upgrade when possible, patch when needed
• Prevent adding vulnerable module
• Break the build, test in pull requests
• Respond quickly to new vulns
• Track vuln DBs, or use Snyk! </shameless plug>