Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore the critical security gap between source code review and actual build artifacts in this conference talk that examines how malicious actors can exploit the disconnect between what developers see and what gets executed. Learn about Ken Thompson's foundational "Reflections on trusting trust" principle and its modern implications for Go development through a detailed analysis of a real-world attack on the boltdb package ecosystem. Discover how attackers used sophisticated techniques including typosquatting and git tag manipulation to create decoy code on GitHub that appeared legitimate during security reviews while delivering malicious payloads in the actual build process. Understand the limitations of traditional source code reviews in detecting these multi-layered deception tactics and examine the broader implications for open source software consumption and supply chain security. Gain insights into developing more robust trust models that account for the entire build pipeline, not just the visible source code, and learn practical strategies for protecting against similar attacks in Go module dependencies.
