Presented at
LocoMocoSec 2019,
April 18, 2019, 11 a.m.
(30 minutes).
Web frameworks have helped enable development that just would not be practical otherwise. While frameworks can introduce unseen attack surfaces, they can also solve problems including entire classes of vulnerabilities <caveat>when a supported version of the framework is used properly</caveat>. GitHub is in the interesting position of employing members of the rails security group, core maintainers, and public bounty members. We have introduced features, applied secure defaults, and taken away many rough edges. This talk will explore examples of features that other frameworks can or should use, some of which came from GitHub. We will also explore the history of some of these features across other frameworks.
It's no surprise that using out of date dependencies introduces many types of risk. It also makes it very hard to hire, retain, maintain, secure, or improve anything or anyone. Bleeding edge or die
Presenters:
-
Neil Matatall
- GitHub
Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences including @locomocosec: Hawaii’s product security conference.
Links:
Similar Presentations: