Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Security of go modules and vulnerability scanning in GoCenterDeep Datta
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Tegra 186 (Tegra-P1 : Pascal GPU搭載のTegra)のu-bootとLinuxについて、
特に、BPMP (Boot and Power Management Processer)に関してです。
About u-boot and Linux of Tegra 186 (Tegra-P1: Tegra with Pascal GPU)
In particular, it is about BPMP (Boot and Power Management Processer).
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
My lightening talk given at GopherCon EU on June 18th!
Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.
Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.
Security of go modules and vulnerability scanning in GoCenterDeep Datta
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Tegra 186 (Tegra-P1 : Pascal GPU搭載のTegra)のu-bootとLinuxについて、
特に、BPMP (Boot and Power Management Processer)に関してです。
About u-boot and Linux of Tegra 186 (Tegra-P1: Tegra with Pascal GPU)
In particular, it is about BPMP (Boot and Power Management Processer).
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
My lightening talk given at GopherCon EU on June 18th!
Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.
Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
Android applications are an interesting target for
reverse engineering. They are written in Java, which is tradi-
tionally good to decompile and are executed by Google’s custom
Java virtual machine, making them interesting to study. In this
paper we present the basic methods and approaches as well as
the necessary tools to reverse engineer Android applications. We
discuss how to change Android applications and show alternative
approaches including man-in-the-middle attacks and automation.
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
Short introduction to the basic methods and techniques used in reverse engineering Android applications. A popular word game is used as an example app.
The slides describe obtaining the application code, decompiling it, debugging Android applications, using a proxy server (Man-in-the-Middle) to extract communication protocols and automating Android applications.
Published under CC BY-NC-SA 3.0
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This is the sandbox used in the Vivaldi, Brave, Chrome and Opera browsers among others. The Chromium Sandbox has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox in detail and go through how the Linux implementation fulfills these requirements.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
This is a slide deck is a step by step tutorial on how to use the all new WSO2 Microservices Server (WSO2 MSS).
This presentation will include
Basics of microservices
An introduction to WSO2 MSS
Running first samples
Understanding the role of containers and Kubernetes together with WSO2 MSS
Getting metrics and snalytics from microservices using JMX and WSO2 Data Analytics Server
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
Similar to Security of Go Modules and Vulnerability Scanning in VSCode (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
3. 3
Agenda
● Dependency management in Go v1.13 and Go modules
● Checksum database concepts
● Committing a new Go module to the checksum database
● Vulnerability information in GoCenter
● DEMO: Security in VSCode
● Q&A
● Introduction
5. 5
Dependency management and Go Modules
Go 1.11 Introduced Go Modules
module main.go
go 1.13
require
github.com/sirupsen/logrus
v1.4.2
go.mod
github.com/davecgh/go-spew v1.1.1/go.mod
h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequenc
es v1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod
h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2
h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod
h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894
h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
go.sum
Go 1.13 Go Modules become
standard
Basic data security and
data integrity with go.sum
and go.mod
The go mod init command wrote
a go.mod file
you will see a file called
go.sum gets created
glide, gopath, dep, vendoring...
7. 7
SHA-256
cryptographic hash algorithms produce irreversible and unique hashes
Irreversible because you can’t use the hash to figure out what the original piece of data was
Unique means that two different pieces of data can never produce the same hash
8. 8
ChecksumDB and the Merkle Tree
At its core, a Merkle Tree is a list of items representing the data that should be verified.
data data data data
hash hash hash hash
hash hash
hash
go.sum data
Each of these items is inserted into a leaf node and a tree of hashes is constructed.
If you change the data, the hash will also change - all the through the tree.
root
9. 9
checksum database
Module 1
(go.sum)
Module 2
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
10. 10
The checksum database ensures that the go command
always adds the same lines to everyone's go.sum file.
https://sum.golang.org/
Whenever the go command receives new source code, it
can verify the hash of that code against this global
database to make sure the hashes match…
...ensuring that everyone is using the same code for a
given version.
11. 11
How hashes protect you
Module 1
(go.sum)
Module 1
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
Minor content change
12. 12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go
15. 15
Both versions have been committed to the checksum db
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
16. 16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a XSS (cross site
scripting) attack
...imagine if your app is a
dependency for other
projects...
17. 17
Let’s summarize so far
go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported
go.mod stores a list of each dependency and version
Hashes are used to detect misbehavior by an origin server or proxy that provides
different code for the same version
However, the go.sum file has a limitation, it works entirely
by trust based on user’s first use...
Vulnerabilities will remain in that version of the module
18. 18
Introducing JFrog GoCenter with Xray Security
GoCenter is a GOPROXY that caches metadata and source code in its
own storage system.
This allows the mirror to continue to serve source code that is no longer
available from the original locations thus speeding up downloads and
protect users from the disappearing dependencies.
export GOPROXY=https://gocenter.io
GoCenter has every version of a publically available module.
22. 22
Every module and version is scanned and actively provides a security warning
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
Versions tab also shows you which version are safe...or not.
24. 24
Next: Building a Golang Project in VSCode
Inside VSCode, type “JFrog” to find the free security scanning extension
25. 25
Building my first Web application with Go in VSCode
A basic web application viewed in the browser with Go
Using GORM and sqlite to configure a database
Security alert in Visual Studio Code with JFrog Extension