SlideShare a Scribd company logo

Are you using an open source library? - Bruno Bossola - Codemotion Rome 2018

Download as ODP, PDF
Codemotion
Codemotion

Do you remember Equifax? How did someone manage to steal the data of almost 200 million users? Well, Equifax simply fell victim to a vulnerability on a framework, Struts, which older developers like me remember well. But you folks, who now use cooler things like Guava or Jackson, do you feel safe? Unfortunately, you are not. After a clear introduction to the problem, with a couple of other illustrious examples, we will perform a couple of exploits together, live, and then take a look at possible prevention strategies. This talk will open your eyes to a problem you did not know you had.

Technology
1 of 20
Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
`@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
`@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
`@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
`@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
`@bbossola 05/2017 - Equifax CVE-2017-5638 (yes, again!)
`@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
`@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
`@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
`@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
`@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
`@bbossola Preventive measures What a detection system would have said?
`@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
`@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
`@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
`@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
`@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
`@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Recommended

Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Codemotion
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
How to debug machine learning call stacks
How to debug machine learning call stacksHow to debug machine learning call stacks
How to debug machine learning call stacksRogue Wave Software
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Koombea
 
SciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSamuel Lampa
 
From Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetFrom Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetPôle Systematic Paris-Region
 
How to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeHow to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeKiwamu Okabe
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 

Recommended

Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Are you using an opensource library? There's a good chance you are vulnerable...
Are you using an opensource library? There's a good chance you are vulnerable...Codemotion
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
How to debug machine learning call stacks
How to debug machine learning call stacksHow to debug machine learning call stacks
How to debug machine learning call stacksRogue Wave Software
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Koombea
 
SciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSciPipe - A light-weight workflow library inspired by flow-based programming
SciPipe - A light-weight workflow library inspired by flow-based programmingSamuel Lampa
 
From Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetFrom Python to smartphones: neural nets @ Saint-Gobain, François Sausset
From Python to smartphones: neural nets @ Saint-Gobain, François SaussetPôle Systematic Paris-Region
 
How to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeHow to rewrite the OS using C by strong type
How to rewrite the OS using C by strong typeKiwamu Okabe
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseSteve Reiner
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USAPhdtopiccom
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingSamuel Lampa
 
How we do python
How we do pythonHow we do python
How we do pythonBrice Laurencin
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesSteven McCown
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive ExtensionsPeter Bons
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingYuri Shkuro
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)Min-Yih Hsu
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Yurii Bychenok
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebula Project
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs finalqi yang
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiVenura Athukorala
 
Port Scanning with Node.js
Port Scanning with Node.jsPort Scanning with Node.js
Port Scanning with Node.jsKevin Cedeño, CISM, CISA
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Jonas Hecht
 
Parallel js
Parallel jsParallel js
Parallel jsShams Nahid
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebula Project
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfSehz1
 
PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013Travis Oliphant
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean wayBruno Bossola
 

More Related Content

What's hot

TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseSteve Reiner
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USAPhdtopiccom
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingSamuel Lampa
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesSteven McCown
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive ExtensionsPeter Bons
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensionsjohnlvidal
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingYuri Shkuro
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)Min-Yih Hsu
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Yurii Bychenok
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebula Project
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs finalqi yang
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiVenura Athukorala
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Jonas Hecht
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming languageVigneshwer Dhinakaran
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebula Project
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfSehz1
 

What's hot (20)

TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San JoseTypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
 
NS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USANS3-Thesis-Projects-in-USA
NS3-Thesis-Projects-in-USA
 
AddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based ProgrammingAddisDev Meetup ii: Golang and Flow-based Programming
AddisDev Meetup ii: Golang and Flow-based Programming
 
How we do python
How we do pythonHow we do python
How we do python
 
Auto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust LibrariesAuto-Generating Language-Specific Wrappers for Rust Libraries
Auto-Generating Language-Specific Wrappers for Rust Libraries
 
Fun With Reactive Extensions
Fun With Reactive ExtensionsFun With Reactive Extensions
Fun With Reactive Extensions
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensions
 
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracingTracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
Tracing 2000+ polyglot microservices at Uber with Jaeger and OpenTracing
 
War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)War of Native Speed on Web (SITCON2016)
War of Native Speed on Web (SITCON2016)
 
Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.Pulumi. Modern Infrastructure as Code.
Pulumi. Modern Infrastructure as Code.
 
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
OpenNebulaConf2017EU: Growing into the Petabytes for Fun and Profit by Michal...
 
Perf onjs final
Perf onjs finalPerf onjs final
Perf onjs final
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
 
Infrastructure as "Code" with Pulumi
Infrastructure as "Code" with PulumiInfrastructure as "Code" with Pulumi
Infrastructure as "Code" with Pulumi
 
Port Scanning with Node.js
Port Scanning with Node.jsPort Scanning with Node.js
Port Scanning with Node.js
 
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
Infrastructure-as-Code with Pulumi - Better than all the others (like Ansible)?
 
Parallel js
Parallel jsParallel js
Parallel js
 
Deep drive into rust programming language
Deep drive into rust programming languageDeep drive into rust programming language
Deep drive into rust programming language
 
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
OpenNebulaConf2017EU: Welcome Talk State and Future of OpenNebula by Ignacio ...
 
Introduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdfIntroduction to Fluvio Data Engineer.pdf
Introduction to Fluvio Data Engineer.pdf
 

Similar to Are you using an open source library? - Bruno Bossola - Codemotion Rome 2018

Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean wayBruno Bossola
 
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Codemotion
 
There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverlessgjdevos
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Programaspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixAll Things Open
 
Leveraging open source for large scale analytics
Leveraging open source for large scale analyticsLeveraging open source for large scale analytics
Leveraging open source for large scale analyticsSouth West Data Meetup
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfAndrew Lamb
 
Building cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerBuilding cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerJacob Feala
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX GroupShuen-Huei Guan
 
openSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST NewsopenSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST Newslslezak
 
BelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserBelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserEamonn Boyle
 
2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpiQNIB Solutions
 
Eko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingEko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingJuan Berner
 
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Jaime Crespo
 

Similar to Are you using an open source library? - Bruno Bossola - Codemotion Rome 2018 (20)

PyData Boston 2013
PyData Boston 2013PyData Boston 2013
PyData Boston 2013
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean way
 
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
Microservices, the lean way - Bruno Bossola - Codemotion Amsterdam 2016
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverless
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
 
Leveraging open source for large scale analytics
Leveraging open source for large scale analyticsLeveraging open source for large scale analytics
Leveraging open source for large scale analytics
 
PostgreSQL Development Today: 9.0
PostgreSQL Development Today: 9.0PostgreSQL Development Today: 9.0
PostgreSQL Development Today: 9.0
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
 
Node.js an Exectutive View
Node.js an Exectutive ViewNode.js an Exectutive View
Node.js an Exectutive View
 
Building cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and DockerBuilding cloud-enabled genomics workflows with Luigi and Docker
Building cloud-enabled genomics workflows with Luigi and Docker
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
 
Python Experience in KKBOX Group
Python Experience in KKBOX GroupPython Experience in KKBOX Group
Python Experience in KKBOX Group
 
openSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST NewsopenSUSE Conference 2017 - YaST News
openSUSE Conference 2017 - YaST News
 
BelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the BrowserBelTech 2017 - Building Quality in the Browser
BelTech 2017 - Building Quality in the Browser
 
2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi2014 11-05 hpcac-kniep_christian_dockermpi
2014 11-05 hpcac-kniep_christian_dockermpi
 
Eko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database AuditingEko10 Workshop Opensource Database Auditing
Eko10 Workshop Opensource Database Auditing
 
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)Scaling and hardware provisioning for databases (lessons learned at wikipedia)
Scaling and hardware provisioning for databases (lessons learned at wikipedia)
 

More from Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 

More from Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Recently uploaded

BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxNeo4j
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 

Recently uploaded (20)

BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 

Are you using an open source library? - Bruno Bossola - Codemotion Rome 2018

  • 1. Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
  • 2. `@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
  • 3. `@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
  • 4. `@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
  • 5. `@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
  • 7. `@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
  • 8. `@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 9. `@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 10. `@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
  • 11. `@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
  • 12. `@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
  • 13. `@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
  • 14. `@bbossola Preventive measures What a detection system would have said?
  • 15. `@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
  • 16. `@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
  • 17. `@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
  • 18. `@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
  • 19. `@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
  • 20. `@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Editor's Notes

  1. Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
  2. San Francisco Metropolitan Transit Agency 2,112 systems impacted A weekend of free rides Exploit on object serialisation issue in apache commons-collections, sending crafted binary traffic over the T3 protocol Operation Rosebud: a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” in thousands of open source projects Note that the attack was in 2016 while the vulnerability was from 2015!
  3. Canada Revenue Agency Undisclosed impact (or “nothing happened, trust us”) Exploit a vulnerability in the multipart parser in Apache Struts2which allows remote attackers to execute arbitrary commands via a crafted header Zero day vulnerability
  4. Equifax, one of the three biggest credit rating agencies in the USA 143 millions US citizens impacted 44 millions UK citizens impacted Exploit (again) a vulnerability in the multipart parser in Apache Struts2 almost 3 months after it was public (remember CRA?) announced only in September
  5. logging (jokes logging and his history, about NIH syndrome) web: spring, jersey, dropwizard js: jquery, bootstrap, angular Bouncycastle: more cipher suites and algorithms, ability to read arcane formats like PEM and ASN.1 librec (more than 70 algorithms)
  6. spring is #1 on hotframeworks.com / java struts is #5 on hotframeworks.com vert.x is #6 on hotframeworks.com