Ask HN: How do you defend against supply chain attacks today? | HN Mirror

Y	Hacker News new \| ask \| show \| jobs

	Ask HN: How do you defend against supply chain attacks today?
	5 points by elric 32 days ago
	Seems like software supply chain attacks have been increasing in speed, scope, and complexity of late. Especially in NPM and PyPi packages. How are people defending against this increased threat? Relying on dependency scanners seems way too slow now. Automagically updating to the latest & greatest is likely to include the latest & greatest malware. Auditing every version of every dependency in use is going to be a costly affair.

2 comments

ggeorgovassilis 32 days ago

On two levels: architecture and understanding. Architecture: I divide the solution components of my architecture into two groups: the ones where a security breach spills over their scope and the ones where it doesn't. For the first category (eg. network- or user-facing), dependencies will be limited as much as possible, meaning I'll forgo convenience and features. I'll pick LTS or older versions with no known vulnerabilities. The second category is locked up in containers with minimal connectivity, with on-demand run-time schedules. Understanding: depending on risk and importance, I actually check out a dependency's source code and have an AI review it. Then rebuild and self-host.

Edit: this approach sounds like it could be bundled into a couple of agents.

elric 32 days ago

I wasn't expecting any architectural answers when I asked the question (not that I knew what to expect, hence the question), but I'm adding this one to my list of "why architecture matters".

tuananh 32 days ago

You can setup local proxy registry. set policy for the registry to set cool down period (7-14 days maybe). That will at least limit some of the blast radius

josteinhylin 32 days ago

Lol