11-09, 17:25–17:45 (UTC), Room 3
Software package managers have become a vital part of the modern software development process. They allow developers to easily adopt third-party software and streamline the development process. However, bad actors today reportedly leverage highly sophisticated techniques such as typo-squattng and social engineering to “supply” purposefully harmful code (malware) and carry out software supply chain attacks. For example, eslint-scope, a NPM package with millions of weekly downloads, was compromised to steal credentials from developers.
We are building a large-scale automated vetting infrastructure to analyze millions of published software packages and provide actionable insights into their composition and security posture. In this presentation, we will cover the technical details of our system and introduce a free tool for developers to detect accidental installation of “risky” packages and mitigate software supply chain attacks. We have already detected a number of abandoned, typo-squatting, and malicious packages. We will present our findings, highlight different types of attacks and measures that developers can take to thwart such attacks. With our work, we hope to enhance productivity of the developer community by exposing undesired behavior in untrusted third-party code, maintaining developer trust and reputation, and enforcing security of package managers.
Ashish holds a Ph.D. in Computer Science from Georgia Institute of Technology. He has over 8 years of industry experience, from working at startups as well as the Fortune 100 technology companies. Currently, Ashish leads the research and development at Ossillate, a cybersecurity startup that he founded during as a graduate student. He has a record of highly visible research, including 4 software patents and 8 peer-reviewed academic papers in top-tier Computer Science conferences. He has also presented his work at premier industry conferences, such as Open Source Summit and Linux Plumbers Conference.
