@liran_tal
@liran_tal
github.com/lirantal
src: https://snyk.io/opensourcesecurity-2019
@liran_tal
a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies
@liran_tal
transitive dependencies of an average package has increased to a staggering 80 in 2018
@liran_tal
the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages
@liran_tal
the red line shows that in 2018, about 24,500 packages have reached at least 10 other packages
@liran_tal
@liran_tal
@liran_tal
for the majority of the time the reach of vulnerable unpatched code is between 30% and 40% is alarming.
@liran_tal
a sign of a healthy security community that reports vulnerabilities at a very good pace, keeping up with the growth of the ecosystem
(Zimmermann, Staicu, Tenny, Pradel, 2019)
http://software-lab.org/publications/npm_study_arXiv_1902.09217.pdf
Jan 2015
research paper
Installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface
Jan 2015
Jan 2017
$ npm install crossenv --save
crossenv/package.json
crossenv/package-setup.js
src: https://snyk.io/vuln
research paper
Highly popular packages directly or indirectly influence many other packages (often more than 100,000) and are thus potential targets for injecting malware.
Jan 2015
Jan 2017
May 2018
http-fetch-cookies
└── express-cookies
└── getcookies
mailparser
└── http-fetch-cookies
└── express-cookies
└──getcookies
Jan 2015
Jan 2017
May 2018
Jul 2018
src: https://github.com/ChALkeR/notes
Jan 2015
Jan 2017
May 2018
Jul 2018
Nov 2019
src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor
(CC BY-NC-SA 2.0)
$ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
Source: The State of Open Source Security Report 2019, Snyk
https://snyk.io/opensourcesecurity-2019/
@liran_tal
github.com/lirantal