OWASP Netherlands
Main Supporters Upcoming Events Past Events Resources
June 20 2024
Location: VU, Amsterdam
Address: De Boelelaan 1105
Please register via: https://www.meetup.com/owasp-chapter-netherlands-meetup/events/300855942
18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Ship Happens: The Stormy Seas of Supply Chain Security by David Archer
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Technical leverage: dependencies are a mixed blessing by Fabio Massacci
Ship Happens: The Stormy Seas of Supply Chain Security
Abstract:
“The more I know about how software is made, the less I want to know” - Me
As a software developer with over a decade of experience and countless interactions with application security teams, I’ve discovered the unsettling complexities of modern software production. Despite what I thought I knew, the reality was far more intricate.
Modern software development is a sprawling network of open-source dependencies, sophisticated build tools, plugins, pipelines, and runtimes. These components are fundamental in securing critical sectors of our daily lives—finance, healthcare, infrastructure, transportation, and social interactions. However, this supply chain is under relentless attack and many of the potential threats are poorly understood.
This talk will delve into specific vulnerabilities, such as dependency poisoning and pipeline compromises, that exemplify the challenges we face. We’ll explore strategies to mitigate these threats and discuss practical takeaways that attendees can immediately implement in their software development practices. Expect to leave with a deeper understanding of supply chain security and with ideas to fortify your software factory against these escalating threats.
Bio:
David Archer:
Seeking to help address this balance David took an opportunity in 2018 to work full-time in the field of application security with a particular focus on technologies that promise to enhance security without impeding development speed. Through his extensive experience with secure coding practises and hands-on experience with the myriad of code analysis tools like IAST, SAST, DAST, RASP and SCA, he gained valuable insights into their relevance and effectiveness in a modern software factory.
Technical leverage: dependencies are a mixed blessing
Abstract:
Modern applications are build upon a large supply chain of (possibly open source) libraries and tools. In finance, leverage is the ratio of debts (other people’s money) vs equity (your money) and the Lehman Brothers have made that concept famous. For software, technical leverage is the ratio between other people’s code and your own code. I will argue with some examples from the Maven, Python and the NPM ecosystems that this is both a risk and an opportunity. The Lehmans Brothers were 30 to 1, what about the Software Sisters?