Patch and Breach: Traditional Security == Pwn3d

It’s Friday afternoon, and a new version for one of your critical dependencies is available for your software project. You KNOW your firm’s security team will be all over you next week to upgrade, and newer is always better anyway, right? You think nothing of running the build one more time to get the latest version, have a relaxing weekend, and show up to the office on Monday… to find a dumpster fire! What happened?! Unbeknownst to you, the package you upgraded on Friday was poisoned, impacting systems throughout your entire firm.

This story might sound like fiction, but reality is stranger than fiction. We will discuss how this happens by examining two examples of poisoned projects and their impacts. Additionally, we will share three ways to protect yourself and your organization when using open-source components in your projects.



Tom Hastings

Tom is a Ph.D. candidate studying open-source security at the University of Colorado Colorado Springs. When Tom is not buried in research, he is busy working for AWS as a Senior Cloud Developer or ...