How to Hack and Defend (Your) Open Source?
You may ask “I work for commercial company, and I don’t develop in open, why should I care about Open source security?” Counter question: “How often you reuse 3rd party tool or library in your day-to-day work?” Always: pypi, npm, etc. Sometimes you don’t even realize that because it’s natural, isn’t it? Let’s talk about common and unusual (may be hidden from public, but still interesting) technics of compromising your company’s assets withing minutes because of unlimited power of today’s open source realm. Also, I’ll share the most useful frameworks and tools that really helps even if you don’t have army of Security professional and your budget is tight. Zero commercial or promotions – only use practical cases and the best tools. Usually, SW developers can find whether academic information (like tons of standards) or scattered data about how to consume 3rd parties securely and include essential security stuff to CI/CD pipeline. I know that it’s scary and doesn’t make sense, because I worked a lot with SMB and startups. My talk will be practical and reveal examples and approaches that really work. It’ll be the most beneficial for dev teams who are not focused on Security or just about to start their journey. that will be “defend” part. We also address “hack part” to convince where the “actual” risk lives.
About the Speaker
Roman Zhukov is a practicing cybersecurity expert and engineer (13+ years in the industry), (ISC)2 CC (Certified in Cybersecurity). Experienced in Security Development Lifecycle (SDL): launching and implementation, Brought to market products and services, Managed complex security projects, Advised customers: cyber security strategy, business development, Managed Pentest and Appsec teams. Current role: responsible for SW Security at Intel, helping teams to grow in Security and managing Product Security programs at Intel, recognized as the Intel Blue belt in Security. Engaged in industry Open Source Security initiatives, member of several OpenSSF working groups. Public speaker and security evangelist. Trainer at Universities and commercial educational centers. Mentor and consultant for startups.