Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale

Conference:  BlackHat USA 2019



The presentation discusses the challenges of open source security and proposes a practical approach to address them.
  • Open source adoption has accelerated in the last decade, but finding and fixing security vulnerabilities in the ecosystem is a major challenge
  • The approach to addressing this challenge is broken down into three stages: discovery, triage, and remediation
  • Discovery involves finding vulnerabilities and mapping them to impacted services
  • Triage involves prioritizing and managing the risk based on data-driven decisions
  • Remediation involves fixing the vulnerabilities and ensuring compatibility and enablement
  • Netflix's solution, Astrid, helps map dependencies and identify the impact of libraries on the ecosystem
The speaker describes the frustration of spending a week dealing with a serious remote code execution vulnerability in an open source Java package, and the need for a solution that can respond faster with less effort and more stability.


Over the last decade, there has been steady growth in the adoption of open-source components in modern web applications. Although this is generally a good trend for the industry, there are potential risks stemming from this practice that requires careful attention. In this talk, we will describe a simple but pragmatic approach to identifying and eliminating open-source vulnerabilities in Netflix applications at scale.Our solution at Netflix is focused on identifying, triaging, and eliminating vulnerabilities in common software packages and their transitive dependencies.This talk will cover the following topics:A brief history of open source security and vulnerabilitiesReasons why this attack surface is still a problem in modern open-source librariesMethods that attackers use to exploit vulnerabilities in open-source librariesReasons why it is easy to carry out attacks against any organizationWe will then explore how the Netflix AppSec team has worked to solve the problem at scale, describing the various stages in our automation strategy and the tools that we are using to help us achieve our goals.



Post a comment