September 13-16, 2022
Dublin, Ireland + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Irish Standard Time (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 14 • 16:50 - 17:00
Lightning Talk: Scoring Dependencies to Detect “Weak Links” in your Open-source Software Supply Chain - Ashish Bijlani, Ossillate, Inc.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
From a benign left-pad beginning to recent protestware, software supply chain attacks on open-source package managers such as NPM and PyPI have grown manifold. Bad actors today leverage highly sophisticated techniques such as typo-squatting, repo-jacking, and social engineering to "supply" malicious dependencies. Yet, there is no robust way to measure such risks.

This talk will present PACKJ, an open-source data-driven tool to score dependencies and measure the level of potential supply chain risks. It checks for several risky code/metadata attributes that indicate malware or make a package vulnerable to typo-squatting, account hijacking attacks. These attributes are empirically identified in our study of 651 publicly documented malicious packages. Risk scores can be customized to match the threat model. Using PACKJ, we have already identified several abandoned and malicious packages. This presentation will include a brief demo and highlight our findings.


Ashish BIjlani

Research Scientist, Ossillate, Inc.
Ashish is a published author and researcher with a Ph.D. in Computer Science from Georgia Institute of Technology and extensive experience in building secure systems software from the ground-up. He has worked in the industry for over a decade, coupled with nearly a decade of top-tier... Read More →

Slides pdf

Wednesday September 14, 2022 16:50 - 17:00 IST
Wicklow Meeting Room 2 (Level 2)