October meetup: What's in your AI code?

What's in your AI code? Learn why every SCA tool is wrong, and how to deal with it.
Darren Meyer, Staff Research Engineer, Endor Labs

With the rise of AI-fueled by Python-based libraries, it has become of paramount importance to scan Python-based projects and their dependencies for OSS vulnerabilities. Python relies on package managers like pip or conda to manage declared dependencies. Dependencies are declared in manifest files which the package manager uses to install the correct version of the required dependency. However, Python’s dependency management system coupled with its dynamic type nature makes it an especially challenging language to deal with.

Of particular focus is the phenomenon of phantom dependencies which are unreported dependencies in a project's manifest profile. These hidden dependencies, which are often provided dependencies (which is especially true for libraries such as tensorflow and pytorch which are essential for AI), challenge software composition analysis (SCA) of Python code, impacting the reliability of vulnerability results.

Approximate agenda (U.S. Central Time):
5:30 - Doors open; socializing/connecting, food, OWASP announcements
6:00 - Presentation

Please remember to register and keep your registration up to date so we know how many to expect.