This lecture summarizes the research we have done in this past crazy year - where we learned how important it is to track down our dependencies, and why the package managers that we rely on to assist us may not be as trustworthy as we think. All of us use package managers every day - on our computers, in our CI/CD environments, or in our production environments. The package managers are supposed to "have our back" - download our dependencies and make sure we are using up to date versions without harming our stability and security. But sometimes, because they are software that was built and designed by humans, these package managers fail us. This session will highlight the range of possible problems that package managers can introduce. We will show you our research about the weaknesses of different package managers, how we executed unauthorized code through them, forced the package manager to download different dependencies, bypassed lock and hashing mechanisms, and more. Finally, we will demonstrate good vs. bad package manager usages from live examples found on the internet.
Presented at Security Fest 2022.Speaker: Rotem Bar
Rotem Bar has over a decade of experience in the security field including penetration testing both application and network, design reviews, code reviews, architecture reviews, tech management, and of course development. Over the years Rotem has gained experience in a diversity of industries from the financial services, to insurance, through high-tech & the automotive industry, along with other complex environments. Today Rotem is the Head of the Marketplace team at Cider Security, which is focusing on revolutionizing CI/CD security and the how we secure our applications. During his free time, Rotem plays with robotics, bug-bounty programs and and enjoys traveling with his family.