Feross Aboukhadijeh
Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
#1about 5 minutes
How the xz backdoor exploited maintainer burnout
The xz attack highlights how maintainer burnout creates opportunities for malicious actors to gain trust and take over critical open source projects.
#2about 4 minutes
A historical parallel with the event-stream NPM hack
The 2017 event-stream hack demonstrates a similar pattern of social engineering and highlights how lucky discoveries often expose these backdoors.
#3about 9 minutes
The growing problem of dependency bloat and rot
Modern package managers encourage massive dependency trees, which often include outdated or unnecessary packages that increase the attack surface.
#4about 10 minutes
Detecting protestware and other malicious behaviors
Automated tooling is essential for detecting malicious code like protestware by analyzing package behavior for suspicious activities like file deletion or network access.
#5about 4 minutes
The critical trade-offs of auto-updating dependencies
While updating dependencies protects against known vulnerabilities, updating too quickly can expose you to new, undiscovered supply chain attacks before the community finds them.
#6about 10 minutes
Taking responsibility for your software supply chain
Developers must take responsibility for their dependencies by using lock files, leveraging analysis tools, and understanding that open source transparency aids discovery but doesn't guarantee immediate safety.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
04:23 MIN
How malicious actors infiltrate open source projects
Reviewing 3rd party library security easily using OpenSSF Scorecard
08:22 MIN
How attackers exploit developers and packages
Vue3 practical development
08:16 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
27:19 MIN
Key takeaways on IDE and developer tool security
You click, you lose: a practical look at VSCode's security
18:24 MIN
The crisis of open source developer sustainability
The Future of Open Source
00:03 MIN
Why developers are a prime target for attackers
You click, you lose: a practical look at VSCode's security
11:13 MIN
The danger of dependency confusion in NPM packages
Security in modern Web Applications - OWASP to the rescue!
10:37 MIN
Demonstrating a supply chain attack using NPM hooks
Hacking Kubernetes: Live Demo Marathon
Featured Partners
Related Videos
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
43:57Oops! Stories of supply chain shenanigans
Zbyszek Tenerowicz
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
24:01What The Hack is Web App Sec?
Jackie
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
26:28Security Blindspots and How to Learn About Them - Anna Oliveira
Anna Oliveira
25:39Coffee with Developers - Robby Russell
Robby Russell
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
From learning to earning
Jobs that call for the skills explored in this talk.
Embedded Security Engineer - Schwachstellenanalyse | Car IT | Secure Coding
Prognum Automotive GmbH
Remote
C++
Senior Security Engineer - (Offensive)
SonarSource
Remote
Senior
Bash
Azure
Python
Amazon Web Services (AWS)
+1