About the Speaker

Everyone uses open source software (OSS) but it comes with a cost. Cost of vulnerabilities and malware. The malware sprawl in the OSS ecosystem has increased by over 700% since 2022. Vulnerabilities in unmaintained or unpopular libraries become a high risk security debt for consumer software development teams. While many organization have an OSS component vetting proess in place, they are hardly effective due to the sheer volume of components brought in as direct and transitive dependencies. The process needs to be automated, contextual and mature over time to be effective. This is what `vet`, a free and open source tool, intends to solve.

In this workshop, the participants will learn to identify risky OSS components and setup policy driven guardrails to protect against such risks. Particularly they will experience

• A real-world example of malicious open source library and its reverse engineering
• Using `vet` to identify risky open source components using custom policy as code
• Automating OSS component vetting in CI/CD (GitHub Actions) using `vet-action`
• Writing `vet` policies using Common Expressions Language (CEL)
• Forking, hacking and contributing to `vet`
• Use and contribute to `vet`:https://github.com/safedep/vet

Abhisek is the creator and maintainer of vet, a free and open source tool for policy driven vetting of OSS dependencies. He is currently building SafeDep, a company focussed on making OSS safe & trusted for software development teams.