Vandana Verma

Walking into the era of Supply Chain Risks

Your application is 90% open-source code, making it a prime target. See live hacks that exploit common dependencies and learn how to build a secure pipeline.

Walking into the era of Supply Chain Risks
#1about 4 minutes

Developers as an unintentional malware distribution vehicle

Recent incidents like the event-stream package compromise show how attackers can turn developers into a distribution channel for malware.

#2about 4 minutes

The hidden risks of open-source dependencies

Vulnerabilities in common dependencies, like Apache Struts which led to the Equifax breach, highlight the danger of unmanaged open-source code.

#3about 4 minutes

Defining the modern software supply chain

The software supply chain mirrors a manufacturing process, and attackers exploit its weakest links to create cascading failures.

#4about 4 minutes

Common attack vectors and the zero trust principle

Attacks like dependency confusion and prototype pollution, exemplified by the SolarWinds incident, necessitate a zero trust security model.

#5about 4 minutes

Building a foundation for pipeline security

Secure your development pipeline by using frameworks from OpenSSF, implementing SBOMs, and securing code, containers, and secrets.

#6about 4 minutes

Demo: Bypassing sanitization with prototype pollution

A practical demonstration shows how prototype pollution can bypass input validation in a Node.js application by passing an array instead of a string.

#7about 3 minutes

Demo: Exploiting the Log4Shell vulnerability

This live hacking demo shows how the Log4j (Log4Shell) vulnerability allows an attacker to achieve remote code execution on a vulnerable server.

#8about 2 minutes

Demo: Remote code execution via a Python dependency

A vulnerable version of the Python Celery library is exploited to achieve remote code execution and exfiltrate server information.

#9about 1 minute

Fostering a developer-first security culture

The key to better security is creating a developer-friendly environment and engaging with communities like OWASP to stay informed.

#10about 8 minutes

Q&A: Career advice for aspiring security professionals

The speaker shares her career journey, tips for students entering cybersecurity, and thoughts on social engineering and learning resources.

Related jobs
Jobs that call for the skills explored in this talk.

Software Engineer

tree-IT GmbH

tree-IT GmbH
Bad Neustadt an der Saale, Germany

54-80K
Intermediate
Senior
Java
TypeScript
+1

Matching moments

Mitigating supply chain attacks with DevSecOps practices
04:45 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Understanding the risks of the modern software supply chain
06:19 MIN

Understanding the risks of the modern software supply chain

Overcome your trust issues! In a world of fake data, Data Provenance FTW

Common attacks targeting software developers
05:49 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Modern cybersecurity challenges for developers
03:43 MIN

Modern cybersecurity challenges for developers

Cyber Security: Small, and Large!

Understanding the rising threat to software supply chains
01:46 MIN

Understanding the rising threat to software supply chains

Open Source Secure Software Supply Chain in action

How attackers exploit developers and packages
05:43 MIN

How attackers exploit developers and packages

Vue3 practical development

Understanding the inherent risks of third-party dependencies
03:40 MIN

Understanding the inherent risks of third-party dependencies

Reviewing 3rd party library security easily using OpenSSF Scorecard

Why developers are a prime target for attackers
04:54 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Featured Partners

Related Videos

See all videos
Stranger Danger: Your Java Attack Surface Just Got Bigger
1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Securing Your Web Application Pipeline From Intruders
44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

The attacker's footprint
2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

You can’t hack what you can’t see
29:34

You can’t hack what you can’t see

Reto Kaeser

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

DevSecOps: Security in DevOps
33:20

DevSecOps: Security in DevOps

Aarno Aukia

Real-World Security for Busy Developers
29:50

Real-World Security for Busy Developers

Kevin Lewis

Climate vs. Weather: How Do We Sustainably Make Software More Secure?
51:41

Climate vs. Weather: How Do We Sustainably Make Software More Secure?

Panel Discussion

Related Articles

View all articles
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
Christina Schaireiter
Why Attend a Developer Event?
Modern software engineering moves too fast for documentation alone. Attending a world-class event is about shifting from tactical execution to strategic leadership. Skill Diversification: Break out of your specific tech stack to see how the industry...
Why Attend a Developer Event?
Daniel Cranney
The Overflow: 5 Security and Privacy Tools for Developers
We’re back again with another edition of the Overflow, where we share some of the best tools we’ve found from around the web that we just couldn’t cram into the already jam-packed editions of the Dev Digest. So let’s take a look at five security and ...
The Overflow: 5 Security and Privacy Tools for Developers

From learning to earning

Jobs that call for the skills explored in this talk.