BSides Oslo 2021: Digital edition on June 8th, 2021 - Dependency Confusion Deep Dive

Dependency Confusion Deep Dive

  • Scheduled: 12:10 (UTC+2)

ependency Confusion caused quite a stir when it was made public in February 2021. It affects companies that run their own internal package repositories like Artifactory and Sonatype. The attack works by tricking a package repository like Artifactory to use a malicious upstream package rather than an internal package. In this talk we will dive into how Schibsted have mitigated this attack vector.

Stian Kristoffersen

Stian Kristoffersen

Stian builds security tools in Schibsted’s Product and Application Security Team. Two of his Schibsted projects are open source: a dependency confusion tool called Artishock, and a secret manager called Strongbox.