How to hack and defend (your) open source
Would you like to take some practical insights from the leading company that’s in world Top 4 Open-source contributors list? There are no longer questions like “How often I reuse 3rd party tool or library in my day-to-day work?” Answer is clear – always: pypi, npm, etc. Sometimes you don’t even realize that because it’s natural, isn’t it? Let’s talk about common and unusual (may be hidden from public, but still interesting) technics of compromising your company’s assets in minutes because of unlimited power of today’s open source realm. I’ll share examples (you can use right away) of the most useful frameworks and tools that we utilize and that really helps even if you don’t have army of Security professional and your budget is tight. That also helps to tackle things from the “native developer environment” prospective. Usually, SW developers can find whether academic information (like tons of standards) or scattered data about how to consume 3rd parties securely and include essential security stuff to CI/CD pipeline. I know that it’s scary and doesn’t make sense, because I worked a lot with SMB and startups. That’s why besides “defend” part we’ll also address “hack part” to convince where the “actual” risk lives. Zero commercial or promotions – only practical cases, reals scenarios and the best tools.
-> Open source security: state of the art
-> Understanding risks you should focus on first
-> Industry frameworks that really works
-> Hack + Defend practical part for (one-by-one): Secure Sourcing; Secure Development; SBOMs/VEX; Build&Release
-> Bonus for the audience
Speaker
-
Roman ZhukovIntelRoman Zhukov is an experienced cybersecurity expert and engineer with over 15 years of industry experience. He is certified as an (ISC)2 CC (Certified in Cybersecurity) and possesses comprehensive knowledge in the Security Development Lifecycle (SDL), from architecture to DevSecOps and Incident Response. Through his involvement in business development, he successfully brought new products and services to market and managed complex security projects. His expertise also extends to advising customers on their cybersecurity strategy and leading Pentest and Appsec teams. Currently, Roman Zhukov works at Intel, where he serves as responsible for SW Security, helping teams grow in security and managing product security programs at Intel, recognized as the Intel Brown Belt in Security. Additionally, he is engaged in industry-wide open-source initiatives such as the Linux Foundation and is a member of several OpenSSF working groups. Roman Zhukov is a sought-after public speaker and security evangelist, as well as a respected trainer at universities and educational centers. He also serves as a mentor and consultant for startups.