Mitigating the Risks of 3rd Party Code
How Automation is Powering Open-Source Security
In today's fast-paced software environment, third-party code has become irreplaceable. With 96% of codebases containing open-source dependencies, the image is clear: open-source is ubiquitous in the development landscape.
However, this can come with great risk. Supply Chain Breaches were the no. 1 Attack Vector in 2022. This comes at no surprise given that 84% of open-source code contained at least one vulnerability in 2022. Additionally, 89% of software tested contained open-source code more than four years out of date, adding further risk. Vulnerabilities such as log4Shell or Heartbleed have shown the devastating effect these security gaps can have on software supply chains.
It is clear that a more comprehensive, less labor-intensive approach to open-source security is vital to better accompany the rapid growth we see in development. In this third installment of the DevSecOps Talk Series, Jonathan Metzman, a software engineer on the Google Open-Source Security Team, will delve into how our collaboration enabled them to uncover severe security issues in popular open-source libraries.
He will cover:
- How Google’s collaboration with Code Intelligence has helped to secure Java/JavaScript ecosystems.
- The importance of genetic algorithms in continuous testing of open-source libraries.
- Critical CVEs that were unearthed through this collaboration, including an Expression DoS in Spring and a Prototype Pollution in protobuf.js.
About the Speaker
Jonathan Metzman is a Software Engineer on the Google Open Source Security Team.