[TheRealDunkirk]

If "your IT team" has merely created a snapshot of an external repo, how is this any more "secure?" I've asked a similar question below. I really want to understand the thinking here. No IT department is going to go line-by-line through all the packages in "artificatory" or Ruby gems or NPM packages or NuGet's repo, checking them all against known vulnerabilities. No one's going to vet the actual code. If there's a public advisory for one of the packages, the parent repo is going to fix it first, and the internal repo may already be compromised, and the "IT team" is going to have to duplicate the work that the repo runners are already doing, and do it slower. I'm lost here.

[slt2021]

there are IT security vendors that provide static code analysis and scanning for known signatures, that can detect and block malicious packages. Just target SCA at local artifactory and this will be a solved problem. CISO just needs to buy solution and IT admins just needs to deploy that software once and it will keep scanning. Absolutely no extra work from meatbags is required

[richbell]

> Absolutely no extra work from meatbags is require

Unfortunately this is rarely true in practice. There is always some degree of friction or error that ought to be managed; ignoring it is how shadow IT proliferates, e.g. a dev is tired of their builds failing due to a false positive and decides to circumvent artifactory altogether.

You're spot-on otherwise.

[TheRealDunkirk]

So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

It seems that Microsoft has built an internal tool that runs such a scan on NuGet (https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packa...), at least against your individual app's packages. (That would be a very rare h/t to Microsoft from me.)

EDIT: Apparently, you can also do this with npm packages (https://docs.npmjs.com/auditing-package-dependencies-for-sec...). I don't see any facility to do this with Ruby gems.

It looks like the common practice would be to outsource the issue database to GitHub, and let whatever scanner you're using cross-reference that list?

What happens when it finds a reported problem? Does it automatically delete that mirrored package, and/or block it from being downloaded or used from the on-prem repo?

This is all new to me, and has helped put this in context, but what actual software are you talking about using for analysis?

EDIT EDIT: Running `yarn audit` in my main Rails app (just using webpacker to bundle the JS):

    97 vulnerabilities found - Packages audited: 1074
    Severity: 2 Low | 34 Moderate | 52 High | 9 Critical

I just did a `yarn upgrade` about a week ago, so it's not like I'm completely out of date. What would a centrally-managed SCA do about this situation?

[richbell]

> So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

I could talk at length about this; unfortunately, I'm on my phone with a shotty connection.

The tl;dr is that companies like Snyk make money by requiring companies to pay to check for vulnerabilities once they've been downloaded. There's not necessarily anything wrong with that, but a philanthropic company could make things significantly safer for everyone if they weren't concerned about making money. Initiatives like the OSSF will hopefully have a positive impact, for this reason.

[slt2021]

You need money to staff people with security knowledge that constantly keeps product up to date with latest malicious signatures in all codebases.

This is why only commercial company can build a great product. The constant cat and mouse game between threat actors and defenders/researchers. Every new malware/trojan/cryptominer strain needs to be found, identified, signature written, and all clients need tk get latest signatures asap, and product has to work flawlessly with as few false positives as possible

[richbell]

> You need money to staff people with security knowledge that constantly keeps product up to date with latest malicious signatures in all codebases.

Of course; it's just funny to think about how much money gets spent detecting and fixing things downstream instead of fixing it at the source.