Hackers of India

The Curious case of knowing the unknown

By  Vandana Verma Sehgal  on 15 Oct 2021 @ Rootcon


Presentation Material

Abstract

Modernisation the applications is the need of the hour. However, we still see the vulnerabilities that keep creeping in. When the loopholes in applications (such as legacy, desktop, web, mobile, micro services) are exploited, it can give threat actors visibility and access to the organisation’s data.

As per one of the research 96.8% code on the internet is OpenSource. When Open Source is eating up the whole internet. It becomes imperative to know the aspects of the open source’s usage, if the open source libraries are not used properly or updated on time, open source can make the applications severely vulnerable. With the talk, we will find the hidden treasures with open source projects and will try and see how we can find them before someone else finds it.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker emphasizes the importance of being aware of what is installed in one’s development environment, A lack of awareness can lead to issues when something goes wrong The speaker suggests regularly scanning the ecosystem using various tools and technologies available from open source to commercial options It is crucial to understand one’s own ecosystem and maintain a cordial relationship between developers and security teams

The speaker also highlights the issue of indirect dependencies If a vulnerability is fixed in one dependency, (indirectly) dependent on an application code it still needs to be fixed The consequences of not having an updated ecosystem can be severe allowing unauthorized access and potential takeover of accounts

The speaker shares a personal experience where a medium-level vulnerability became critical due to code changes and emphasizes the importance of knowing one’s ecosystem before others do This knowledge can help prevent damages

Finally the speaker touches on supply chain security emphasizing the need for maintaining a software bill of materials (SBOM) around securities of supply chain and fixing issues before they are exploited The speaker concludes by inviting everyone to join Sneak Con an open-source event in October and encourages the use of superpowers to build something good and secure

The key takeaway is to be aware of what you have installed in your development environment regularly scan your ecosystem maintain a cordial relationship between developers and security teams and prioritize supply chain security