Proposal Presentation Week 6 - updated (#2525)

* Demo request Week 4 By Jkuo and Vanjav * Demo request Week 4 Josephine Kuo and Vanja Vidmark * Proposal Demo Week 4 * Proposal Demo week4 * Proposal demo week 4 * Proposal Demo Week 4 * Proposal Presentation Week 6 * Proposal Presentation Week 6 * Updated proposal presentation week 6
KTH · Sep 26, 2024 · 1f51eda · 1f51eda
1 parent 9a64eee
commit 1f51eda
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/contributions/presentation/week6/jkuo-vanjav/README.md b/contributions/presentation/week6/jkuo-vanjav/README.md
@@ -0,0 +1,30 @@
+# Assignment Proposal
+
+## Title
+The event stream incident - vulnerabilities of open source dependencies and possible mitigations. 
+
+## Names and KTH ID
+
+  - Josephine Kuo ([email protected])
+  - Vanja Vidmark ([email protected])
+
+## Deadline
+
+- Week 6
+
+## Category
+
+- Presentation
+
+## Description
+
+We are going to bring light to the topic of using third party libraries without caution, using the event stream incident as an example. We will highlight some key reasons for these attacks such as blind trust, handing over projects insecurely, non-present security checks and the tradeoff between security and openness. 
+
+We will then go over three mitigations to resolve this issue. 
+- Dependency pinning. That is to require specific versions of libraries, rather than ranges to prevent auto-updates from pulling in malicious versions.
+- Using lockfiles (such as package-lock.json in NPM) to record the exact versions of installed packages, minimizing the risk of unintended updates.
+- Scanning for known vulnerabilities in the dependencies using npm audit. 
+
+**Relevance**
+
+In DevOps, automation often relies on third-party libraries, and this incident demonstrates the vulnerability of open-source dependencies. Ensuring the security of external code is crucial, as compromised libraries can introduce security risks into the CI/CD pipeline without immediate detection.