Explore the critical topic of package security and dependency management in this 38-minute conference talk by Jess McClintock from Google at the Linux Foundation event. Dive into the concept of Capslock, a CLI tool designed to analyze Go package imports at the callpath level. Learn how restricting package permissions and capabilities can mitigate potential attack vectors, including recent incidents involving malicious code insertion through third-party libraries. Understand the importance of the principle of least privilege within the ecosystem and how increased scrutiny on dangerous capabilities can enhance overall security. Discover how Capslock's approach, inspired by mobile phone permissions systems, helps reduce false positives and prevent alert fatigue by providing more focused and accurate signals. Gain insights into the tool's functionality and its availability for Go on deps.dev, with future support planned for additional programming languages.
Overview
Syllabus
Capslock: Escaping Bad Dependencies - Jess McClintock, Google
Taught by
Linux Foundation
Tags
Related Courses
-
Understanding Supply Chain Threats with Static Analysis - GopherCon 2023
-
Untangle the Secrets of Your JavaScript Dependencies
-
Securing the Software Supply Chain - Go Checksum Database
-
Managing Vulnerabilities in Open-Source Dependencies
-
Dependencies: Do's and Don'ts - Managing Application Dependencies Securely
-
Confessions of a Vulnerable Developer: What Developers Need to Know About Security
