Liran Tal

Israel

Hi lovely human! happy to meet you 🤗 I'm strongly passionate about open source software since an early age, and enjoy mentoring, and empowering others in the community. I'm a Director of Developer Advocacy at Snyk & Node.js Foundation Ecosystem Security Working Group 🥑 Node.js has been a love at first sight for me since 2014 when I joined to lead development on the MEAN.js framework (https://github.com/meanjs/mean). A big passion of mine is creating Node.js command line applications, and actively advocating for web security through my work at Snyk, OWASP and the Node.js Foundation. 🚤 Creator of Gigsboat (https://github.com/gigsboat/cli) ✍️ Author of Essential Node.js Security (http://bit.ly/securenodejs) ✍️ Author of O'Reilly Serverless Security (http://bit.ly/serverless-clad) 🔥 Author of Node.js CLI Best Practices (http://bit.ly/nodejs-cli) 🦸‍♂️ Ambassador at foundations such as OpenSSF, Node.js Foundation's Ecosystem Security working group 🥑 DevRel at Snyk.io

Community Contributions

Latest Blog posts Open source Video/Podcast Speaking Articles Event organization Hackathon Forum

The maintainer's CI workflows recipe for a peaceful open source life

Participating in 2021's GitHub Actions hackathon together with Dev.to and the DEV community to create workflows for maintainers and better open source life Hackathon: https://dev.to/devteam/join-us-for-the-2021-github-actions-hackathon-on-dev-4hn4 My application: https://dev.to/lirantal/the-maintainers-ci-workflows-recipe-for-a-peaceful-open-source-life-157m

Hackathon / 11-30-2021

react-suspended-vulnerable-application

I built a vulnerable React application that has many security issues both due to outdated vulnerable dependencies but also due to insecure coding practices. My hope is that this work that I open sourced will be fruitful for developers to skill up on their security knowledge, and in particular in writing secure React codebases. My premise for this open source GitHub repository: Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.

Open source project / 11-27-2021

Member of the Pull Request Israeli open source community

Participating in the local Israeli community named Pull Request which help developers get involved in open source. It does so by organizing workshops to build and contribute to projects, inviting guest lectures, and connecting them with others to create products on top of open source projects.

Hackathon / 11-20-2021

NodeTLV Conference organization comittee

It was a great pleasure and honor to join the local Israeli community members who love Node.js and help organize the NodeTLV conference. Worked out on the CFP, reviewed speaker talks, and helped out with sourcing folks to join the conference as speakers.

Event organization / 11-15-2021

How to effectively detect and mitigate Trojan Source attacks in JavaScript codebases with ESLint

With the Trojan Source attack hitting the news in November of 2021, I wrote an article that promotes the use of free and open source tools that live on GitHub repositories where developers and DevOps engineers can run them as part of their dev/CI process to help prevent such security incidents in their codebases.

Article/Publication / 11-09-2021

eslint-plugin-anti-trojan-source

ESLint plugin to detect and stop Trojan Source attacks from entering your codebase. If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository. This ESLint plugin is based on the library and command-line tool anti-trojan-source.

Open source project / 11-06-2021

anti-trojan-source

Detect trojan source attacks that employ unicode bidi attacks to inject malicious code. Why is Anti Trojan Source important? The following publication on the topic of unicode characters attacks, dubbed Trojan Source: Invisible Vulnerabilities, has caused a lot of concern from potential supply chain attacks where adversaries are able to inject malicious code into the source code of a project, slipping by unseen in the code review process. For more information on the topic, you're welcome to read on the official website trojansource.codes and the following source code repository which contains the source code of the publication.

Open source project / 11-05-2021

Gigsboat - Track your speaking activities all within your GitHub opensource repository!

Do you have a boatload of speaking gigs? Use the gigsboat CLI to manage them all via GitHub in the open source way! Gigsboat is a GitHub-driven approach to manage your speaking activities. Anything from podcasts, conference talks to webinars, it's all tracked using an open source repository with automation around it. With Gigsboat you own your data by keeping track of your speaking engagements using simple YAMLs in a GitHub repository, then a GitHub Actions workflow kicks in with a special CLI (@gigsboat/cli), and transforms them into a beautiful markdown format as your repo’s README, and spices it up with visual badges for stats It utilizes a special GitHub Repository Templates to allow anyone to kickstart their own public speaking repo super fast and hassle-free. Here’s my own public speaking repository based on gigsboat: https://github.com/lirantal/public-speaking

Open source project / 10-22-2021

Related Stars