To Patch Or Not To Patch
The Equifax Struts disaster happened because someone failed to patch. But the recent Event-Stream NPM bug came from an attacker carefully abusing NPM's built-in auto-patch mechanism. In this AppSec talk I'll cover the historical cause of these patching problems. I'll conclude with some risk-balanced patching approaches I've seen employed by a handful of projects that I think show us the way forward for AppSec patching.
Attend this session to:
1. Learn about key critical moments in software engineering history where small decisions around versioning have created significant headaches for patching in the present day.
2. Learn the security and stability tradeoffs of always-patch vs. never-patch vs. balanced strategies.
3. Learn some tricks and tools for auditing your suppliers to see how well they are patching!
Speakers Bio: Julius Musseau (@juliusmusseau) is the CTO and Co-Founder at Mergebase Software Inc., a Vancouver based cyber defense startup focused on securing software supply chains. Julius is an active software engineer and Apache committer with 15 years experience. Previously Julius maintained back-end payment, messaging, and online banking software for the Canadian credit union sector. Julius is 100% to blame for CVE-2014-3604.