Megg Sage
Megg is an application security engineer with a background in web development. She was drawn to security by the endless puzzles and challenges the field presents. Megg is passionate about sharing knowledge—especially when she can educate her audience and frighten them a touch at the same time. After all, what can happen when security goes wrong is pretty scary. She enjoys collaborating closely with software engineering teams to integrate security into existing development practices, aiming to minimize how painful "doing security" can be. When not behind a computer, Megg can often be found crafting costume pieces or shiny objects.
Session
Supply chain security has been all the rage recently - we keep hearing over and over again, about how numerous malicious packages have been found on this package repository or that. This talk gives an overview of malicious packages and the different ways that they can pose a danger: from simple mistakes like mistyping a package name all the way up to well known and loved packages being compromised.
So how can we protect ourselves from these threats? There are various options such as checking package health, source code reviews/scans, or use of tooling such as SCA tools. SCA scans, while very useful for vulnerability scanning, cannot be relied upon to protect against malicious packages. This talk will discuss their blind spots and other options for adding further protection. It will further reinforce that security should always take a multi-layered approach.