One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8383846 |
| Date de publication | 2023-09-15 14:11:38 (vue: 2023-09-15 20:06:13) |
| Titre | Capslock: De quoi votre code est-il vraiment capable? Capslock: What is your code really capable of? |
| Texte | Jess McClintock and John Dethridge, Google Open Source Security Team, and Damien Miller, Enterprise Infrastructure Protection TeamWhen you import a third party library, do you review every line of code? Most software packages depend on external libraries, trusting that those packages aren\'t doing anything unexpected. If that trust is violated, the consequences can be huge-regardless of whether the package is malicious, or well-intended but using overly broad permissions, such as with Log4j in 2021. Supply chain security is a growing issue, and we hope that greater transparency into package capabilities will help make secure coding easier for everyone.Avoiding bad dependencies can be hard without appropriate information on what the dependency\'s code actually does, and reviewing every line of that code is an immense task. Every dependency also brings its own dependencies, compounding the need for review across an expanding web of transitive dependencies. But what if there was an easy way to know the capabilities–the privileged operations accessed by the code–of your dependencies? Capslock is a capability analysis CLI tool that informs users of privileged operations (like network access and arbitrary code execution) in a given package and its dependencies. Last month we published the alpha version of Capslock for the Go language, which can analyze and report on the capabilities that are used beneath the surface of open source software. |
| Envoyé | Oui |
| Condensat | capslock these this you 2021 2023 27th about access accessed across actually add adding additional alert using alerting allowed allows alongside alpha also alternative analysis analyze anything applied apply appropriate appropriatesurface arbitrary are aren attacks auditing audits available avoiding bad behavior behaviors belief beneath better brings broad broadly but can capabilities capabilities–the capability capable capslock capslock: capslockwe cases chain change changes chat choice ci/cd class cli code code–of coding come commitment community complementary compounding concept consequences core damien data decisions declaring deeper depend dependencies dependency deps design dethridge dev developers development diego does doesn doing due during easier easy emerging enterprise even every everyone example execution existing expanding expect expected extending external fantastic feasible features find finding first forward from full future give given gives google gophercon greater growing hard help highest highlighting hope how huge idea identifies identify immense import important include inform information informed informs infrastructure initially insights integrate intended interpret issue its jess john know known language languages last least levels libraries library like limited line log4j logging longer look looking maintainers make making malicious management mcclintock means miller minimal monitoring month more most motivated need network new now only open operations other out overly own package packages part party patchescompare paths permissions picture pipelines filter points posture potential practical prescribe present principle prioritize privilege privileged programming progressmonitor protection provide published really regardless releases relevant remote report reporting required requires respond review reviewing reviews rolling safe san sandbox scale secure security sept set should signals software source specific standard strong such supply support surface task team teamwhen them third those tofind tool tooling tools transitive transparency trust trusting try types uncover unexpected unwanted upcoming usable usage use used useful users using various version versions violated vulnerabilities vulnerabilitiesvulnerability vulnerability way weak web well what when whether which will without working wouldn your |
| Tags | Tool Vulnerability |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.