We hope you enjoyed the event!
IMPORTANT: Due to the current Covid-19 situation, we will follow the "3G" rule for this event. For more information on what that means, check here: https://coronavirus.wien.gv.at/faq-english/#3GRule
Wednesday, 27. October 2021 at 18:30
Loose Libs, Sink Ships: The Security Perils of Software DependenciesBy Thomas KonradHave you ever started a “Hello World” test project with a modern JavaScript framework and then counted the lines of code in your node_modules directory? There are literally millions of lines of code, written by people who know how to write high-quality software, and by people who don’t. How can we know that everything in there is legitimate? How can we know there is no malicious intent by anyone? How can we know there is no known vulnerability in my dependencies? How can we even know that’s the right library?While the questions above are not new, they gained new traction through two recent large-scale supply chain attacks: The SolarWinds attack and the Dependency Confusion attack carried out by a security researcher, the latter resulting in more than $ 100,000 in bug bounties. The Dependency Confusion attack leveraged a flaw in package management systems, especially the Node Package Manager (NPM).In this talk, we’ll draw a bigger picture of the security problems that come with a large number of dependencies, and we’ll talk about solution approaches. Here’s the talk outline:• Supply chains in the “real world” vs. in software• Popular software supply chain incidents with technical details• Supply chain insecurity in software• Countermeasures by the “software society”• Countermeasures during development• Countermeasures during build• Countermeasures during operations• Advanced countermeasures like verifiable builds and farm-to-table guarantees• Further reading resources
Have you ever started a “Hello World” test project with a modern JavaScript framework and then counted the lines of code in your node_modules directory? There are literally millions of lines of code, written by people who know how to write high-quality software, and by people who don’t. How can we know that everything in there is legitimate? How can we know there is no malicious intent by anyone? How can we know there is no known vulnerability in my dependencies? How can we even know that’s the right library?While the questions above are not new, they gained new traction through two recent large-scale supply chain attacks: The SolarWinds attack and the Dependency Confusion attack carried out by a security researcher, the latter resulting in more than $ 100,000 in bug bounties. The Dependency Confusion attack leveraged a flaw in package management systems, especially the Node Package Manager (NPM).In this talk, we’ll draw a bigger picture of the security problems that come with a large number of dependencies, and we’ll talk about solution approaches. Here’s the talk outline:• Supply chains in the “real world” vs. in software• Popular software supply chain incidents with technical details• Supply chain insecurity in software• Countermeasures by the “software society”• Countermeasures during development• Countermeasures during build• Countermeasures during operations• Advanced countermeasures like verifiable builds and farm-to-table guarantees• Further reading resources
Nx - the easy choiceBy Miroslav JonasWe live in a world constantly being bombarded with choices. Choices that drain our time and energy.How do you decide? Are you a randomiser, an analyst, or a follower?Let me enlighten you on what benefits you may reap by using Nx (and monorepos) in various project sizes and setups.Let me show you the easy and obvious choice you were missing this whole time.Let me help you save your time and energy.
We live in a world constantly being bombarded with choices. Choices that drain our time and energy.How do you decide? Are you a randomiser, an analyst, or a follower?Let me enlighten you on what benefits you may reap by using Nx (and monorepos) in various project sizes and setups.
Let me show you the easy and obvious choice you were missing this whole time.
Let me help you save your time and energy.
Our sponsors allow us to proide free drinks and on our meetups.
For millions of teams worldwide, Meister products are an indispensable part of a successful working life. We create stunningly-designed, team-focused and user-friendly tools that bring joy to work and simplicity to collaboration. Our users, products and team all work beautifully together.
Based in Vienna, with offices in Munich and Seattle, our ever-growing team has evolved into a tech powerhouse that embodies the best of both worlds for more than 100 talented employees. You could be one of them: make the leap and join an established software company that maintains that special startup vibe.Find our open positions here: https://www.meisterlabs.com/jobs/
SPONSOR OUR EVENTWe are currently looking for sponsors to cover free beer and free pizza. Contact Flora at fp@codeq.at
