Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal Presentation Week 6 - updated #2525

Merged
merged 11 commits into from
Sep 26, 2024
Merged

Proposal Presentation Week 6 - updated #2525

merged 11 commits into from
Sep 26, 2024

Conversation

JosKuo
Copy link
Contributor

@JosKuo JosKuo commented Sep 23, 2024

Assignment Proposal

Title

The event stream incident - vulnerabilities of open source dependencies and possible mitigations.

Names and KTH ID

Deadline

  • Week 6

Category

  • Presentation

Description

We are going to bring light to the topic of using third party libraries without caution, using the event stream incident as an example. We will highlight some key reasons for these attacks such as blind trust, handing over projects insecurely, non-present security checks and the tradeoff between security and openness.

We will then go over three mitigations to resolve this issue.

  • Dependency pinning. That is to require specific versions of libraries, rather than ranges to prevent auto-updates from pulling in malicious versions.
  • Using lockfiles (such as package-lock.json in NPM) to record the exact versions of installed packages, minimizing the risk of unintended updates.
  • Scanning for known vulnerabilities in the dependencies using npm audit.

Relevance

In DevOps, automation often relies on third-party libraries, and this incident demonstrates the vulnerability of open-source dependencies. Ensuring the security of external code is crucial, as compromised libraries can introduce security risks into the CI/CD pipeline without immediate detection.

@algomaster99 algomaster99 self-assigned this Sep 26, 2024
@algomaster99 algomaster99 merged commit 1f51eda into KTH:2024 Sep 26, 2024
4 checks passed
@algomaster99
Copy link
Collaborator

Looking forward to it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@algomaster99 algomaster99

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JosKuo @algomaster99