Zbyszek Tenerowicz
Oops! Stories of supply chain shenanigans
#1about 4 minutes
Understanding software supply chain security in JavaScript
Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.
#2about 1 minute
Using npm audit to find known package vulnerabilities
The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.
#3about 3 minutes
Overcoming the challenges of running npm audit in CI
Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.
#4about 4 minutes
Managing security alerts with the npm-audit-resolver tool
The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.
#5about 6 minutes
How malicious packages use postinstall scripts to attack
Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.
#6about 4 minutes
How a malicious package can compromise build tools
A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.
#7about 3 minutes
Defending against malicious scripts with --ignore-scripts
Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.
#8about 3 minutes
Identifying which package scripts are safe to ignore
The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.
#9about 1 minute
A secure workflow for installing NPM dependencies in CI
A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.
#10about 15 minutes
Q&A on package-lock, CSP, and dependency updates
The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
10:37 MIN
Demonstrating a supply chain attack using NPM hooks
Hacking Kubernetes: Live Demo Marathon
08:22 MIN
How attackers exploit developers and packages
Vue3 practical development
11:13 MIN
The danger of dependency confusion in NPM packages
Security in modern Web Applications - OWASP to the rescue!
08:16 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
05:28 MIN
A historical parallel with the event-stream NPM hack
Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
30:19 MIN
Managing security risks in third-party dependencies
A Primer in Single Page Application Security (Angular, React, Vue.js)
00:02 MIN
Developers as an unintentional malware distribution vehicle
Walking into the era of Supply Chain Risks
00:14 MIN
Understanding the risks in your software supply chain
How your .NET software supply chain is open to attack : and how to fix it
Featured Partners
Related Videos
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
27:41Friend or Foe? TypeScript Security Fallacies
Liran Tal
42:55Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
Feross Aboukhadijeh
37:36Walking into the era of Supply Chain Risks
Vandana Verma
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
From learning to earning
Jobs that call for the skills explored in this talk.
