DevSecCon Germany

Node.js Dependency Confusion Attacks & Vulnerabilities in Go Binaries

WITH Juan Picado, Agata Krajewska & Daniel Kontorovskyi

DevSecConGermany takes you through how to protect your Nodejs project from dependency confusion attacks & detect module vulnerabilities from Go binaries.
Talk 1 | 
Protecting my Node.js project of dependency confusion attacks 

Having a private registry as part of a stack is getting a popular trend due to the benefits that it brings to your organization. But a misconfigured registry can open the door to malicious individuals. This talk is about how to secure a Node.js project from dependency confusions and other possible attacks using a Verdaccio registry as proof of concept.

About our Guest
Juan Picado

Senior Front-End Engineer at eBay Classifieds Group based in Berlin, building front-ends for classifieds like Kijiji Autos in Canada. He is a passionate JavaScript engineer, contributes to open source almost every day and is the lead maintainer of Verdaccio (mostly in his spare time). His goal is to help the Node.js ecosystem to keep a free and open private registry accessible for all developers.

Talk 2 | Go Hard or Go Home
Detecting module vulnerabilities from Go binaries

Cloud native applications are typically made up of a small core of homegrown code, along with a lot of open source modules. Vulnerabilities in modules across most languages are increasing, and so scanning that code for security vulnerabilities is a critical piece of the security jigsaw. This is straightforward in interpreted languages since the module information is shipped with our application, but in compiled languages like Go it’s not as straightforward. At Snyk we recently introduced the ability to automatically detect and scan included modules from Go binaries within your containers, and in this talk we’ll deep dive into the details of how we got there – from automatically detecting Go binaries inside your container images, to breaking apart the binary format and extracting the header information, and implementing this all functionality in our Node based command line client. If the internals of Go binaries are your thing, then this is the talk for you!

Agata Krajewska

Agata is a Software Engineer in Container group in Snyk. Agata has spent the last year working on runtime security, solving problems around image scanning architectures and platforms. Whenever there’s a chance, she enjoys writing low level and embedded software code. Besides coding, Agata also teaches yoga and visits all the best food spots in East London.

Daniel Kontorovskyi

Daniel Kontorovskyi is a Software Engineer at Snyk, and has spent most of the last 5 years building SAAS products in the security space. Most recently Daniel has been focused on the emerging need for security within cloud native applications and at runtime.

Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.