Unsolved Problems in Open Source Security

Unsolved Problems in Open Source Security

Linux Foundation via YouTube Direct link

Uncapped Version Ranges Are An Antipattern

18 of 23
Previous
Next

18 of 23

Uncapped Version Ranges Are An Antipattern

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Unsolved Problems in Open Source Security

Automatically move to the next video in the Classroom when playback concludes
  1. 1 Intro
  2. 2 Open Source Security: Navigating the Iceberg
  3. 3 The Enemy Gets a Vote
  4. 4 Dependency Maturity Levels
  5. 5 Open Source Detection
  6. 6 Security Notifications
  7. 7 Remediating Open Source Vulnerabilities
  8. 8 Important: Vulnerable vs Malicious Packages
  9. 9 Malicious Packages . Bad from the start - Typosquatting
  10. 10 Identity Concepts
  11. 11 Identity: Risk and Reward • Package compromise rewards are mostly predictable: • Stolen credentials
  12. 12 FA Challenges • Transitive dependencies
  13. 13 Security Multipliers
  14. 14 Why Malicious Updates Are Missed
  15. 15 Open Source Updates: Inconvenient To Review . Source control platforms are designed for reviewing your code, not someone else's you imported
  16. 16 All things equal, Decentralized makes Security Worse . Whenever a malicious package is discovered, the first instinct is: Why didn't the registry detect this, and how long did it take them to remove
  17. 17 SemVer Range Example
  18. 18 Uncapped Version Ranges Are An Antipattern
  19. 19 Version Selection: The Way Forward
  20. 20 1. Better Open Source Publishing Protection - Single factor authentication is unacceptable • Registries should ideally allow enforcing of 2FA for publishing • Consumers can elect to use dependencies …
  21. 21 2. Verifiable Source Code using Reproducible Builds . There's no point reviewing for malicious code if we're scanning the wrong code to begin with - Non-reproducible builds should be a code smell, li…
  22. 22 Open Source Dependencies Should Be Sandboxed • Today's approach to malicious open source packages can be compared to Windows 95 pre-malware tsunami . Unfortunately, no relief in sight from language e…
  23. 23 Package Managers Implement Minimal Selection . It's madness that a malicious package release can be installed accidentally seconds after it's published, without anybody reviewing it • Minimal Version…

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.