Overview
Explore the critical landscape of supply chain attacks in this 44-minute DevSecCon presentation, focusing on vulnerabilities within the NPM ecosystem. Delve into the 'What, Why, and How' of these threats and their far-reaching consequences, with particular emphasis on the risks associated with expired maintainer email addresses in NPM packages. Discover the results of an extensive research project that scanned 2.1 million NPM packages, identifying vulnerabilities and assessing their impact through download statistics. Learn about the methodology employed and gain access to an open-source script for automated vulnerability detection. Examine the history of NPM dependency attacks, review recent vulnerabilities, and acquire strategies to strengthen defenses against such threats. Gain valuable insights into open-source security, develop skills to identify vulnerable NPM dependencies, and learn how to protect your organization from potential attacks. This presentation addresses a crucial gap in current security practices and provides essential knowledge for safeguarding against NPM package vulnerabilities.
Syllabus
Supply Chain Attacks - Focused on NPM attacks with Danish Tariq and Hassan Khan Yusufzai
Taught by
DevSecCon