DevSecOps Podcasts

Open Source Vulnerabilities - Who is Ultimately Responsible

Dec 3, 2018 8:03:10 AM By Mark Miller

In this broadcast, I speak with Chris Roberts, Advisor with Attivo Networks, R&D with HHS, and Derek Weeks, Sonatype, about lines of responsibility and npm package highjacking in light of the event-stream vulnerability announcement last week..

The announcement of the event-stream npm package vulnerability has once again raised the issue of who it ultimately responsible when a breach like this is announced. Is it the original creator of the package? What about the team maintaining the package? Where does' the end user fit it in? How does social engineering come into play?

Slides from our Discussion

Slide 01

Slide 02

Slide 03

Slide 04