DEV Community

Cover image for Live Exploiting Your Open Source Dependencies with Brian Vermeer

Live Exploiting Your Open Source Dependencies with Brian Vermeer

Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’» on July 23, 2020

Bio Developer Advocate for Snyk and Software Engineer with over 10 years of hands-on experience in creating and maintaining software. He...
Collapse
 
nicolehopkins7 profile image
Nicole Hopkins

As a beginner, this is all new to me but glad I'm learning it now rather than later!

Collapse
 
terceranexus6 profile image
Paula

So happy to hear about security through development, thanks for introducing this topic, Brian.

Collapse
 
ben profile image
Ben Halpern

Yeah definitely

Collapse
 
kelseyhuse30 profile image
Kelsey Huse

Wow. This talk makes me pretty scared. But also makes me feel like I want to learn how to hack :)

Collapse
 
rachelnovick profile image
Rachel Novick

I feel exactly the same! I'm definitely going to dive down a DevOps rabbit hole to try to learn more.

Collapse
 
ben profile image
Ben Halpern

I think that's exactly how the talk should make us feel πŸ˜…

Collapse
 
dhruvgarg79 profile image
Dhruv garg

This talk is so important, dependencies break code many times.

Collapse
 
rachelnovick profile image
Rachel Novick

Wow, this is really eye-opening! I never thought about the fact that we borrow so much.

Collapse
 
ben profile image
Ben Halpern

The "left pad" moment was a real moment for my own discovery here πŸ˜„

Collapse
 
ben profile image
Ben Halpern

This is must-watch.

Collapse
 
omarkhatib profile image
Omar

Thanks for the talk Brian.

Collapse
 
ckn00b profile image
Christian

what a super interesting person

Collapse
 
daniel13rady profile image
Daniel Brady • Edited

I just transitioned from product engineer to DevOps this quarter, and starting to learn to I should care about these things. Thank you so much for your contribution, @brianverm !

Collapse
 
terceranexus6 profile image
Paula

I'm having a lot of fun, I'm loving this, I'm only missing a popcorn bag here. How smoothly you are breaking things!

Collapse
 
rmartinez75 profile image
Rmartinez75

He is so informative. I want to be him when I "grow up"

Collapse
 
brianverm profile image
Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’»

Don't ever grow up :)
At least that is what they told me ;)

Collapse
 
rmartinez75 profile image
Rmartinez75

I wish I would've gotten that advice! Guess that's why I'm starting my coding journey so late! I'm very interested in dev sec ops. I never knew that existed before your talk. Thanks again.

Collapse
 
maisha profile image
Maisha

Are there any recommended sources for learning more about DevSecOps and how to implement it? Specifically towards an organization that is not yet using DevOps but would like to?

Collapse
 
brianverm profile image
Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’»

There is a bunch of stuff.

Collapse
 
jonoyeong profile image
Jonathan Yeong

Are there tools to check if your site is secure? This talk is definitely highlighting the fact that I need to learn security!

Collapse
 
brianverm profile image
Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’»

Take a look at snyk.io to help you out.
Another cool thing would be to install the Vuln Cost extension if you are using VSCode

Collapse
 
jonoyeong profile image
Jonathan Yeong

Thank you so much for answering my question. That's a great tip!

Collapse
 
spiritupbro profile image
spiritupbro

man i love snyk i merge every pull request you make i dont even review it so cool man

Collapse
 
brianverm profile image
Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’»

Always good to hear this nori

Collapse
 
aritdeveloper profile image
Arit Developer

Looking forward to learning a lot from this talk πŸ”₯

Collapse
 
kanjoo profile image
KanjooM

Thanks Brian. I real eye opener.

Collapse
 
petr7555 profile image
Petr Janik

Cool exploits!

Collapse
 
spicyc profile image
SpicyC

Just scored some #CodelandDistributed Swag :)

Collapse
 
hugoliconv profile image
Hugo

Amazing talk!

Collapse
 
esmeesamarripa profile image
Esmeralda Samarripa

This talk was so interesting! I can't wait to dig into this more!

Collapse
 
lankydandev profile image
Dan Newton

After listening to darknet diaries, this is the first time I've watched someone do something hacky, so cool!

Collapse
 
joshuaburke profile image
Dangeranger

This exploit sounds like Arbitrary Code Execution as a Service.

Collapse
 
fizzboop profile image
Byonca H.

This talk is a great reminder to really mind the dependencies you introduce to your application.

Collapse
 
mattienodj profile image
mattienodj

LOL. Yeah. Hot garbage in JS.

Collapse
 
clmccork profile image
Crystal

This is all so interesting!!

Collapse
 
lindakatcodes profile image
Linda Thompson

Great talk! Security is so important. Integration between each group is a great thing!

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited

Of course I want to update dependencies, but only if I 100% sure that the main code doesn't break.

Also, why would I update devDependencies, if it doesn't go into production, anyway?

Collapse
 
brianverm profile image
Brian Vermeer πŸ§‘πŸΌβ€πŸŽ“πŸ§‘πŸΌβ€πŸ’»

Not saying you must do anything :)
I totally get your point with dev reps. Snyk, for instance, will omit the dev deps by default when scanning. However, you can change that if you like.

On the 100% commit. This is true! But I assume you have tests in place that will cover the critical paths at the very least. However, when a dependency has vulns, you should IMO switch to a fixed version (or another library) and adapt the rest of your application.

Either way, having a solid dependency management strategy in place is crucial.