DEV Community

Play Button Pause Button

Live Exploiting Your Open Source Dependencies with Brian Vermeer

Bio

Developer Advocate for Snyk and Software Engineer with over 10 years of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is an Oracle Groundbreaker Ambassador, Utrecht JUG Co-lead, Virtual JUG organizer and Co-lead at MyDevSecOps. He is a regular international speaker on mostly Java-related conferences like JavaOne, Oracle Code One, Devoxx BE, Devoxx UK, Jfokus, JavaZone and many more. Besides all that Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.

Outline

Open source modules are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. We'll live hack exploits like the classic struts vulnerability that recently made it famous, along with Spring Break and several others.

Here is a download link to the talk slides (PDF)


This talk will be presented as part of CodeLand:Distributed on July 23. After the talk is streamed as part of the conference, it will be added to this post as a recorded video.

Top comments (38)

Collapse
 
nicolehopkins7 profile image
Nicole Hopkins

As a beginner, this is all new to me but glad I'm learning it now rather than later!

Collapse
 
terceranexus6 profile image
Paula

So happy to hear about security through development, thanks for introducing this topic, Brian.

Collapse
 
ben profile image
Ben Halpern

Yeah definitely

Collapse
 
kelseyhuse30 profile image
Kelsey Huse

Wow. This talk makes me pretty scared. But also makes me feel like I want to learn how to hack :)

Collapse
 
rachelnovick profile image
Rachel Novick

I feel exactly the same! I'm definitely going to dive down a DevOps rabbit hole to try to learn more.

Collapse
 
ben profile image
Ben Halpern

I think that's exactly how the talk should make us feel πŸ˜…

Collapse
 
dhruvgarg79 profile image
Dhruv garg

This talk is so important, dependencies break code many times.

Collapse
 
rachelnovick profile image
Rachel Novick

Wow, this is really eye-opening! I never thought about the fact that we borrow so much.

Collapse
 
ben profile image
Ben Halpern

The "left pad" moment was a real moment for my own discovery here πŸ˜„

Collapse
 
ben profile image
Ben Halpern

This is must-watch.

Collapse
 
omarkhatib profile image
Omar

Thanks for the talk Brian.

Collapse
 
ckn00b profile image
Christian

what a super interesting person

Collapse
 
daniel13rady profile image
Daniel Brady • Edited

I just transitioned from product engineer to DevOps this quarter, and starting to learn to I should care about these things. Thank you so much for your contribution, @brianverm !

Collapse
 
terceranexus6 profile image
Paula

I'm having a lot of fun, I'm loving this, I'm only missing a popcorn bag here. How smoothly you are breaking things!