Open-source has taken over the world of software and now makes up the majority of code found in everything from phones to banks, but reusable code also means reusable vulnerabilities and bad actors are increasingly exploiting vulnerabilities in open-source code and now inserting malware upstream into libraries used by millions of developers.
Software security in an open-source world needed a fundamentally different approach to finding security issues than the traditional tools and techniques used downstream by developers or researchers. SourceClear has developed a domain specific language called the Security Graph Language and will be open-sourcing the language specification and a reference architecture later this year so that security researchers can start hunting for bugs in open-source at scale.
Mark Curphey will explain the growth in open-source, the vulnerabilities and malware we are seeing today and the demo some attacks like web app ransomware we will see in the near future. With the help of Dr Asankhaya Sharma they will then demo the Security Graph Language and live hunt for new bugs across the Java library ecosystem.