[Workshop] Securing Your Open Source Workflow with GitHub Security Lab, Sonatype and Snyk | March 16th, 2023

[marcosbergami]

For Speaker(s):

Speaker info

Liran Tal

Name: Liran Tal GitHub Handle: @lirantal Bio:

Liran Tal is an award-winning software developer, security researcher, and open source champion in the JavaScript community. He's an internationally recognized GitHub Star, acknowledged for his open source advocacy, and has received the OpenJS Foundation's Pathfinder for Security for his work on Node.js security. His contributions to developer security education include leading OWASP projects, building supply chain security tools, participation in CNCF and OpenSSF initiatives, and authoring books such as O'Reilly's Serverless Security. He leads the developer advocacy team at Snyk.io and is on a mission to empower developers with better application security skills.

LinkedIn: https://www.linkedin.com/in/talliran/

Speaker Name

Name: GitHub Handle: Bio: LinkedIn:

Workshop Links

Zoom Link: https://github.zoom.us/j/97013759503?pwd=aDd5NmNKQTNsbGlLQWhuSm4vVEFGdz09 Eventbrite link: https://www.eventbrite.com/e/securing-your-open-source-workflow-with-github-security-lab-and-snyk-tickets-532730861347?aff=ebdsoporgprofile Notion Card Link: https://programequity.notion.site/Securing-Your-Open-Source-Workflow-with-GitHub-Security-Lab-and-Snyk-36173ea5919c4922be0ac11f16fff56f

Presentation Overview

Presentation Materials

• Link to slides:
• Link to additional resources (optional)
• Link to post-session feedback survey (optional)

Operations

• [ ] Send the following copy in chat following your presentation: https://github.com/ProgramEquity/open-source-mentorship/blob/main/Workshops/post_workshop_links.md
• [ ] Link to the slide deck

---

For Organizers:

Pre-workshop

• [ ] Speaker confirmed for the date and time with calendar invite
• [ ] Slide content in shared drive
• [ ] (optional) zoom poll set up
• [ ] (optional) dress rehearsal if requested

  Post-workshop

• [ ] content updated in https://github.com/ProgramEquity/open-source-mentorship/blob/main/Workshops/
• [ ] speaker filled out post-workshop survey
• [ ] Content updated in Notion card and recording uploaded

[lirantal]

Hi folks,

I'm sharing here in a more broad audience some ideas for topics

Open source ecosystem

How security research powers health of supply chain

• Research on vulnerable VS Code extensions (see here)
• Research uncovers malicious packages in the ecosystem (see here)
• Lockfile injection research from back in 2019, lead to:
  • open source lockfile-lint static analysis tooling that has been adopted by maintainers
  • package managers like Yarn were inspired by this and Yarn 3 now includes built-in trust & integrity checks for that
  • GitLab Security team presenting about it in BlackHat Europe 2021 :-)

What are CVEs

Methods for publicly sharing information on cybersecurity vulnerabilities and exposures

• Should we talk about SBOMs or don't want to bore folks with that? :) might be interesting to relate that to the executive president cybersecurity order to show how important it is
• Bug bounties? (or did you hope to cover it under open source ecosystem ?)
• Discussion around "not every CVE is a run to the hill" ?

Workflows for the ecosystem

How you can implement secret scanning, code scanning, and dependencies

• How about we chime in one developer & maintainer security as well? 2FA, do not allow to run arbitrary code on install, etc?

Demo

Resolving a security advisory

• Would it be fitting to show a vulnerable code at the IDE level with the Snyk extension? I cloned the amplify repo and scanned it with Snyk and can show how helpful secure coding advice in the IDE can help prevent vulnerabilities during development time, before the end up deployed.

[lirantal]

Also, I see we have draft slide deck worked out here if that's the relevant one still to use? if so, happy if you can add me to edit :)

[marcosbergami]

Also, I see we have draft slide deck worked out here if that's the relevant one still to use? if so, happy if you can add me to edit :)

Hey @therzka, can you please confirm if the slide deck noted in the Notion page is still relevant to use in this workshop ? Thank you!

[therzka]

@marcosbergami I don't have permission to share that one right now and there's obviously not much there anyway :) feel free to start a new one and share the link here.

@lirantal I love the topics you've outlined above... leaning towards high level is better but feel free to run with any/all of them. Definitely like the idea of touching on what CVEs and bug bounties are, how CVEs are discussed publicly.

also, hi Twitter friend!

[lirantal]

Hi there Tali 🤗 and thanks for the feedback. Looks like we're on track. Let's get a slide deck shared and we can pour some content into it.