Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore proactive security measures for open source development through this 29-minute conference talk that addresses the critical gap between reviewed source code and built artifacts. Learn about the limitations of traditional source code reviews in preventing supply chain attacks, drawing from Ken Thompson's "Reflection on Trusting Trust" and examining real-world examples like the xz and boltdb-go attacks. Discover Capslock, an open source CLI tool for analyzing Go packages that can detect discrepancies between a package's advertised and actual permissions. Understand how integrating capability information into public data sources like deps.dev and guided code review systems enables developers to shift security left and build greater confidence when consuming open source packages. Gain insights into novel methods for analyzing the code that actually gets built, moving beyond surface-level source reviews to identify potential security threats before they impact your projects.
