Open Source Vulnerabilities - Who is Ultimately Responsible
Dec 3, 2018 8:03:10 AM By Mark Miller
In this broadcast, I speak with Chris Roberts, Advisor with Attivo Networks, R&D with HHS, and Derek Weeks, Sonatype, about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week..
The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social engineering come into play?