Will We Survive the Transitive Vulnerability Locusts?

Transitive vulnerabilities are the most hated type of security issue by developers, and for a good reason: transitive dependencies are the most common source of vulnerabilities in software projects. However, yet still, only a tiny number of them are exploitable. This talk will present our research findings on quantifying the risk of known vulnerabilities in modern software applications and the prevalence of exploitable transitive dependencies in real-world applications. While each vulnerability may have a slight chance of exploitation, the sheer number of transitive dependencies amplifies the risk significantly. This data underscores the importance of our discussion and the need for effective strategies to mitigate these risks in your software projects. We will present a PoC exploit for a real-world transitive dependency vulnerability and demonstrate how an attacker can compromise the application by exploiting a vulnerable transitive dependency. We will also discuss practical strategies for mitigating the risks associated with transitive dependencies and how to prioritize addressing them in your threat model. By: Eyal Paz | VP of Research, OX Security Liad Cohen | Data Scientist and Security Researcher, OX Security Full Abstract and Presentation Materials: https://ift.tt/2u1gySM

source https://www.youtube.com/watch?v=DVlFHen9hh0