Overview
Syllabus
Intro
We're going to demonstrate, with data...
About the report
Agenda
Data sources
Biases
Library usage is highly language dependent
Usage rate of popular libraries
SemVer, the closest we can get to a standard...
Definition / implications
Transitive by language (Fig 4)
Direct vs Transitive vulnerabilities (Figs 11-12)
More libraries = more problems? (Fig 13)
Language choice makes a difference (Fig 5)
OWASP Top Ten (Fig 6)
PHP is basically a minefield (Fig 7)
Not all vulnerabilities have exploits (Fig 8)
PoC exploits by OWASP category (Fig 10)
The vulnerability funnel (Fig 14)
Good news: most fixes are minor (Figs 16-17)
Begs many questions
How do the chains end?
Most chains are relatively short...
but it varies by language
Most updates are still small
Takeaways
Taught by
Black Hat