Presented at
Black Hat USA 2019,
Aug. 8, 2019, 12:10 p.m.
(50 minutes).
<p>Over the last decade, there has been steady growth in the adoption of open-source components in modern web applications. Although this is generally a good trend for the industry, there are potential risks stemming from this practice that requires careful attention. In this talk, we will describe a simple but pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale.<br></p><p>Our solution at Netflix is focused on identifying, triaging, and eliminating vulnerabilities in common software packages and their transitive dependencies.<br></p><p>This talk will cover the following topics:</p><ul><li>A brief history of open source security and vulnerabilities</li><li>Reasons why this attack surface is still a problem in modern open-source libraries</li><li>Methods that attackers use to exploit vulnerabilities in open-source libraries</li><li>Reasons why it is easy to carry out attacks against any organization<br data-mce-bogus="1"></li></ul><br><p>We will then explore how the Netflix AppSec team has worked to solve the problem at scale, describing the various stages in our automation strategy and the tools that we are using to help us achieve our goals.</p>
Presenters:
-
Aladdin Almubayed
- Senior Application Security Engineer, Netflix
Aladdin Almubayed is senior security engineer at Netflix focused on application security, automation and building secure services. Prior to Netflix, Aladdin led the offensive security team at Yahoo with a focus on building red teaming infrastructure, reverse engineering, and fuzzing.
Links:
Similar Presentations: