Zbyszek Tenerowicz

Oops! Stories of supply chain shenanigans

Can a dependency you never import inject a vulnerability into your application's final build? This talk demonstrates how.

Oops! Stories of supply chain shenanigans
#1about 4 minutes

Understanding software supply chain security in JavaScript

Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.

#2about 1 minute

Using npm audit to find known package vulnerabilities

The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.

#3about 3 minutes

Overcoming the challenges of running npm audit in CI

Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.

#4about 4 minutes

Managing security alerts with the npm-audit-resolver tool

The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.

#5about 6 minutes

How malicious packages use postinstall scripts to attack

Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.

#6about 4 minutes

How a malicious package can compromise build tools

A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.

#7about 3 minutes

Defending against malicious scripts with --ignore-scripts

Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.

#8about 3 minutes

Identifying which package scripts are safe to ignore

The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.

#9about 1 minute

A secure workflow for installing NPM dependencies in CI

A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.

#10about 15 minutes

Q&A on package-lock, CSP, and dependency updates

The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Lies we Tell Ourselves As Developers31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor42:55

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Feross Aboukhadijeh

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

From learning to earning

Jobs that call for the skills explored in this talk.