Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Small World with High Risks - A Study of Security Threats in the npm Ecosystem

USENIX via YouTube

Overview

Explore a comprehensive analysis of security threats in the npm ecosystem through this 21-minute conference talk from USENIX Security '19. Delve into the potential risks associated with the open nature of npm, including the impact of single packages on millions of computers and the influence of individual maintainers. Examine the systematic study of package dependencies, maintainer responsibilities, and publicly reported security issues. Discover key findings on the potential for running vulnerable or malicious code due to third-party dependencies, and learn about the increasing problem of maintainer account vulnerabilities. Investigate the challenges of accidentally using vulnerable code due to lack of maintenance, even years after vulnerabilities become public. Consider proposed mitigation techniques, such as trusted maintainers and total first-party security, and evaluate their potential effectiveness in addressing npm's single points of failure and the threat of unmaintained packages to large code bases.

Syllabus

Intro
JavaScript and npm
eslint Incident
Key Findings
Particularities of npm
Empirical Study
Experimental Setup
Evolution of Package Reach
Evolution of Maintainer Influence
Evolution of Security Advisories
Potential Mitigations
Code Vetting as Mitigation
Conclusions
Evolution of Dependencies

Taught by

USENIX

Reviews

Start your review of Small World with High Risks - A Study of Security Threats in the npm Ecosystem

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.