Something For Everybody - ASW #180 - podcast episode cover

Something For Everybody - ASW #180

Jan 20, 20221 hr 3 min
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to printing garbage messages. The library was exhibiting the type of malicious activity that typically comes from a compromised package. Only this time users of the library, which easily number in the thousands, discovered this was sabotage by the package maintainer himself. This opens up a broader discussion on supply chain security than just provenance. How do we ensure open source tools receive the investments they need -- security or otherwise? For that matter, how do we ensure internal tools receive the investments they need? Log4j was just one recent example of seeing old code appear in surprising places.

 

Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises!

 

Show Notes: https://securityweekly.com/asw180

Segment resources:

- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

- https://www.zdnet.com/article/when-open-source-developers-go-bad/

- https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/

- https://www.theregister.com/2022/01/17/open_source_closed_wallets_big/

- https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/

- https://docs.linuxfoundation.org/lfx/security/onboarding-your-project

- https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

For the best experience, listen in Metacast app for iOS or Android
Open in Metacast
Something For Everybody - ASW #180 | Application Security Weekly (Audio) podcast - Listen or read transcript on Metacast