06-29, 17:00β17:20 (Asia/Jerusalem), Main Hall
I'd like to share the findings from my research where I looked into python packages that wrap vulnerable C code and ship vulnerabilities to the unaware developers
Attackers aware of such libs may abuse these components without the developers knowing
The Python ecosystem has PyPI libraries that bundle C code, but if that code has vulnerabilities how would we ever find out? how can we fix them?
Until today, this was a common hidden problem and risk that we all accepted (mostly unknowingly). Today it changes. My talk will demonstrate the uncharted attack vector in open source software supply chain - unmanaged code pieces inside our dependencies.
You'll learn about the struggles of managing open source libraries and adopt takeaways from my research findings, where I looked into Python libraries that wrap vulnerable C code, and unknowingly shipped vulnerabilities to unaware and unsuspecting developers. The developers, on their end, may think that they're safe (no reported CVEs) but malicious actors with such knowledge can exploit these seemingly non-vulnerable libraries and compromise systems while flying completely under the radar.
English
Target audience βOther (please specify below)
Other (target audience) βSecurity experts, developers and basically everyone running "pip install"
Security researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :)
Oh yea I also DJ