logo
allArticlesConferencesPresentations

⚡ Lightning Talk: My First Supply Chain Security Pull Request as a 13-Year-Old

Conference:  Cloud Native SecurityCon North America 2023

Authors:   Neil Naveen

Summary

The speaker, a 14-year-old programmer, shares their experience of contributing to open-source supply chain security by adding Dependabot to the GH CLI tool.
  • The speaker started coding at the age of 8 and has been practicing for 7 years, including solving LeetCode problems and creating AI combatants on CodeCombat.
  • The speaker's father introduced them to GH CLI, a tool used to interact with the GitHub API directly from the command line.
  • The speaker learned about Dependabot, a tool that creates fixes whenever any of your dependencies have updates, and realized that GH CLI did not have it.
  • The speaker created a fix by adding Dependabot to GH CLI, which was merged and secured the important project.
  • The speaker hopes to inspire young people to contribute to open-source projects regardless of their age.
The speaker's interest in contributing to open-source supply chain security was sparked by their father's use of GH CLI and Dependabot. They were amazed to see their father creating PRs from the command line and reviewing PRs from a bot that fought vulnerabilities in dependencies. The speaker's curiosity led them to learn more about GH CLI and Dependabot, and they realized that GH CLI did not have Dependabot. They decided to add Dependabot to GH CLI to secure the important project, which was eventually merged. The speaker hopes to inspire young people to contribute to open-source projects regardless of their age.

Abstract

I'm a 13-year-old who recently made my first contribution to Github's cli/cli security: https://github.com/cli/cli. Here are my PRs to https://github.com/cli/cli: https://github.com/cli/cli/pulls?q=author%3Aneilnaveen I'll cover how I found the issue, why it was a problem and how I fixed it. One day, I was watching my dad work and saw that he was creating PRs from the command line. I was amazed. I asked him how he could do that, and he explained that he was using a tool called gh-cli. Later, he talked about Dependabot and how it could be used to secure open-source supply chains. Dependabot alerts the project if a dependency is being updated or has a vulnerability. I considered adding Dependabot would increase the security of gh-cli. So I opened a PR to add Dependabot to cli.
Materials:
Tags:

Post a comment

Related work

How we recovered $XXX,000 in Bitcoin from an encrypted zip file

Conference:  Defcon 28
Authors:
2020-08-01

All your math are belong to us

Conference:  Defcon 26
Authors:
2018-08-01

Why does my security camera scream like a Banshee? Signal analysis and RE of a proprietary audio-data encoding protocol

Conference:  Defcon 29
Authors:
2021-08-01

Abusing SAST tools! When scanners do more than just scanning

Conference:  Defcon 29
Authors:
2021-08-01

Achieving the Tipping Point for Open-source Software: Making the Business Value Obvious for Upper Management

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Josh Grose

Far from green fields - introducing Threat modelling to established teams

Conference:  Global AppSec Dublin 2023
Authors: Sarah-Jane Madden
2023-02-15