We Hack Purple Streams! Securing Open Source Dependencies Its Not Just Your Code That You Need to Secure With Rana Khalil
12/23/22 • 53 min
The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”.
This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines.
Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master’s degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community.
Speaker Links:
Youtube Channel: https://www.youtube.com/c/RanaKhalil101
Academy: https://ranakhalil.com/
Twitter: https://twitter.com/rana__khalil
LinkedIn: https://www.linkedin.com/in/ranakhalil1/
Medium Blog: https://ranakhalil101.medium.com/
The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”.
This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines.
Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master’s degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community.
Speaker Links:
Youtube Channel: https://www.youtube.com/c/RanaKhalil101
Academy: https://ranakhalil.com/
Twitter: https://twitter.com/rana__khalil
LinkedIn: https://www.linkedin.com/in/ranakhalil1/
Medium Blog: https://ranakhalil101.medium.com/
Previous Episode
We Hack Purple Podcast Episode 61 with Guest Gemma Moore
In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.
Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.
In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.
Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers”
Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.
We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.
You can learn more by reading in Gemma’s blog!
Join us in the We Hack Purple Community: A fun and safe place to
learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter!
Find us on Apple Podcast, Overcast + Pod
#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity
Next Episode
We Hack Purple Podcast Episode 63 with Guest Mick Douglas
In this episode of the We Hack Purple podcast host Tanya Janca met with her colleague from IANs Faculty: Mick Douglas, founder of InfoSec Innovations! We talked about EVERYTHING AppSec and definitely could haveeasily talked at least 2 more hours! He explained what honey pots/honey files/honey links are, and how to use them. Creating a "tamper evident" network and system, as well as how marketing people have really messed up the term "shift left" for the rest of us. Not only that, but the episode had TONS of laughs!
Mick's Bio:
Mick Douglas has over 10 years of experience in information security and is currently the Managing Partner for InfoSec Innovations. He specializes in PowerShell, Unix, Data Visualization, Hardware, and Radio Hacking and teaches SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC555: SIEM with Tactical
Very special thanks to our sponsor: Luta Security!
Luta Security is the global leader in transforming how governments and organizations work with friendly hackers to bolster their security. LutaSecurity can manage end-to-end vulnerability disclosure and bug bounty programs or train your existing staff to maximize your security investment. Visit LutaSecurity.com/services to get started today!
Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
#appsec #wehackpurple #shehackspurple
We Hack Purple Podcast - We Hack Purple Streams! Securing Open Source Dependencies Its Not Just Your Code That You Need to Secure With Rana Khalil
Transcript
welcome everyone to a we hack purple stream I'm Tanya Janka your host and
Amanda's also helping me host but today we have a special guest and her name's Rana she's my friend she's ridiculously
awesome and I'm so happy she said yes to being like being on our stream and so you
might notice I've tweeted about her a lot so she's finally here I'm really excited and with this Rana please take
it away hi everyone uh thanks for having me Tanya I'm very excited to be here as
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/we-hack-purple-podcast-273079/we-hack-purple-streams-securing-open-source-dependencies-its-not-just-33009806"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to we hack purple streams! securing open source dependencies its not just your code that you need to secure with rana khalil on goodpods" style="width: 225px" /> </a>
Copy