Capslock: Escaping Bad Dependencies

Explore the critical topic of package security and dependency management in this 38-minute conference talk by Jess McClintock from Google at the Linux Foundation event. Dive into the concept of Capslock, a CLI tool designed to analyze Go package imports at the callpath level. Learn how restricting package permissions and capabilities can mitigate potential attack vectors, including recent incidents involving malicious code insertion through third-party libraries. Understand the importance of the principle of least privilege within the ecosystem and how increased scrutiny on dangerous capabilities can enhance overall security. Discover how Capslock's approach, inspired by mobile phone permissions systems, helps reduce false positives and prevent alert fatigue by providing more focused and accurate signals. Gain insights into the tool's functionality and its availability for Go on deps.dev, with future support planned for additional programming languages.