Live Exploiting Your Open Source Dependencies with Brian Vermeer

Brian Vermeer 🧑🏼‍🎓🧑🏼‍💻 on July 23, 2020

Bio Developer Advocate for Snyk and Software Engineer with over 10 years of hands-on experience in creating and maintaining software. He... [Read Full]
Editor guide

So happy to hear about security through development, thanks for introducing this topic, Brian.


As a beginner, this is all new to me but glad I'm learning it now rather than later!


This talk is so important, dependencies break code many times.


Wow. This talk makes me pretty scared. But also makes me feel like I want to learn how to hack :)


I feel exactly the same! I'm definitely going to dive down a DevOps rabbit hole to try to learn more.


I think that's exactly how the talk should make us feel 😅


Are there tools to check if your site is secure? This talk is definitely highlighting the fact that I need to learn security!


Take a look at snyk.io to help you out.
Another cool thing would be to install the Vuln Cost extension if you are using VSCode


Thank you so much for answering my question. That's a great tip!


Wow, this is really eye-opening! I never thought about the fact that we borrow so much.


The "left pad" moment was a real moment for my own discovery here 😄


Thanks for the talk Brian.


This is must-watch.


what a super interesting person


I just transitioned from product engineer to DevOps this quarter, and starting to learn to I should care about these things. Thank you so much for your contribution, @brianverm !


He is so informative. I want to be him when I "grow up"


Don't ever grow up :)
At least that is what they told me ;)


I wish I would've gotten that advice! Guess that's why I'm starting my coding journey so late! I'm very interested in dev sec ops. I never knew that existed before your talk. Thanks again.


I'm having a lot of fun, I'm loving this, I'm only missing a popcorn bag here. How smoothly you are breaking things!


Are there any recommended sources for learning more about DevSecOps and how to implement it? Specifically towards an organization that is not yet using DevOps but would like to?


There is a bunch of stuff.


After listening to darknet diaries, this is the first time I've watched someone do something hacky, so cool!


Looking forward to learning a lot from this talk 🔥


Thanks Brian. I real eye opener.


Cool exploits!


Just scored some #CodelandDistributed Swag :)


Amazing talk!


This talk was so interesting! I can't wait to dig into this more!


man i love snyk i merge every pull request you make i dont even review it so cool man


This exploit sounds like Arbitrary Code Execution as a Service.


This talk is a great reminder to really mind the dependencies you introduce to your application.


LOL. Yeah. Hot garbage in JS.


This is all so interesting!!


Great talk! Security is so important. Integration between each group is a great thing!


Of course I want to update dependencies, but only if I 100% sure that the main code doesn't break.

Also, why would I update devDependencies, if it doesn't go into production, anyway?


Not saying you must do anything :)
I totally get your point with dev reps. Snyk, for instance, will omit the dev deps by default when scanning. However, you can change that if you like.

On the 100% commit. This is true! But I assume you have tests in place that will cover the critical paths at the very least. However, when a dependency has vulns, you should IMO switch to a fixed version (or another library) and adapt the rest of your application.

Either way, having a solid dependency management strategy in place is crucial.

Code of Conduct Report abuse