Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale

Over the last decade, there has been steady growth in the adoption of open-source components in modern web applications. Although this is generally a good trend for the industry, there are potential risks stemming from this practice that requires careful attention. In this talk, we will describe a simple but pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale.

Our solution at Netflix is focused on identifying, triaging, and eliminating vulnerabilities in common software packages and their transitive dependencies.

This talk will cover the following topics:

  • A brief history of open source security and vulnerabilities
  • Reasons why this attack surface is still a problem in modern open-source libraries
  • Methods that attackers use to exploit vulnerabilities in open-source libraries
  • Reasons why it is easy to carry out attacks against any organization

We will then explore how the Netflix AppSec team has worked to solve the problem at scale, describing the various stages in our automation strategy and the tools that we are using to help us achieve our goals.

Presented by