2024-07-05, 11:00–11:20 (Europe/Paris), Amphitheater
In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability.
Inspired by Alex Birsan's blogpost on Dependancy confusion, we are going to introduce the tool Depfuzzer. This tool enables the search for failing dependencies across various projects.
The tool will initially list all the dependencies of the projects and then gather information for each of them from the website https://deps.dev/. From there, it is possible to determine if a dependency exists and is still maintained.
Other checks have also been added, such as the validity of the maintainer's email, for example.
The presentation will be conducted as follows :
- A quick introduction about the speakers.
- A quick introduction to software development registries landscape.
- A description of how the tool works.
- Cases encountered during our audits.
- Mitigation proposal.
Hi, I'm Kévin Schouteeten, a pentester at Synacktiv, a French company dedicated to offensive information security. Over the last 16 years (yes, I'm old), I've had multiple careers, first as a developer, then as a malware analyst, and now as a penetration tester. Since joining Synacktiv, I've been able to work with a wide variety of technologies, but this latest discovery regarding Azure environments and Kubernetes has pushed me to prepare this talk.
Developer & Pentest @ Synacktiv