Ask HN: Pragmatic way to avoid supply chain attacks as a developer
The article addresses the security risks of managing software dependencies, highlighting a specific incident of a compromised package. It debates the effectiveness of containers versus VMs and seeks practical solutions.
The article discusses the challenges of managing software dependencies, particularly in the context of security vulnerabilities that can arise from using packages from repositories like npm and PyPI. It highlights a specific incident where a compromised package uploaded users' SSH keys to an attacker, emphasizing the risks associated with dependency chains. The text questions the effectiveness of common solutions such as using containers or virtual machines (VMs) and seeks practical workflows that minimize performance issues and inconvenience. It raises important considerations regarding the choice between containers and VMs, the selection of virtualization software, and whether to isolate environments for each project or consolidate multiple low-value projects into a single VM. The author invites insights from those who have successfully implemented these strategies in real-world scenarios.
- Managing software dependencies poses significant security risks.
- Compromised packages can lead to severe data breaches.
- The effectiveness of containers versus VMs for isolation is debated.
- Practical workflows are needed to balance security and performance.
- Insights from experienced users are sought for effective implementation.
Related
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum
A threat actor is selling an unverified npm vulnerability for account takeover on BreachForums. npm has not confirmed the vulnerability. The dark web forum's reputation for cybercrime raises doubts. npm Registry is a prime target for attacks, emphasizing the need for security measures like enabling 2FA and code review.
Projects considered harmful – Part 1
Software development projects often prioritize time and budget over quality, leading to compromised dependability. Project managers focus on meeting objectives, neglecting software quality. Reevaluating project management practices is crucial for software dependability.
Ask HN: Should a risk assessment list all dependent tools?
The Crowdstrike incident highlights the need for IT analysts to effectively communicate third-party service risks to leadership, advocating for structured risk assessments to inform decision-making on risk management strategies.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.
Public JavaScript CDNs are useless and dangerous
Reliance on public CDNs is problematic due to security, privacy, and reliability issues. Self-hosting dependencies and private caching CDNs are recommended to enhance control and performance while mitigating risks.
13 commentsSome examples of how we do it:
- Devs can only use hardened (by us) Docker images hosted inside our infrastructure. Policies enforce this during CI and runtime on clusters.
- All Maven/PIP/NodeJS/etc. dependencies are pulled through via proxy and scanned before first use. All future CI jobs pull from this internal cache.
- Only a handful of CI runners have outbound connectivity to the public internet (via firewalls). These runners have specific tags for jobs needing connectivity. All other runners pull dependencies / push artefacts from within our network.
- The CI Runners with Internet connectivity have domains whitelisted at the firewall level, and so far very few requests have been made to add new domains.
- External assets, e.g an OpenJDK artefact, have their checksums validated during the build stage of our base images. This checksum is included in Docker image metadata should we wish to download the asset again and compare against the public one.
With this in mind:
- https://qubes-os.org - Use separate VMs for separate domains. Use disposable VMs for temporary sessions.
- https://github.com/legobeat/l7-devenv - My project. Separate containers for IDE and (ephemeral) code-under-test. Transparent access to just the directories needed and nothing else, without compromising on performance and productivity. Separation of authentication token while transparent to your scripts and dev-tools. Editor add-ons are pinned via submodules and baked into the image at build-time (and easy to update on a rebuild). Feedback very welcome!
- In general, immutable distros like Fedora Silverblue and MicroOS (whatever happened to SUSE ALP?) also worth considering, to limit persistence. Couples well with a setup like the one I linked above.
- Since you seem to be in a Node.js context, I should also mention @lavamoat/allow-scripts (also affiliated via $work) as something you can consider to reel in your devDeps: https://github.com/LavaMoat/LavaMoat/tree/main/packages/allo...
You have to trust everything, and any breach of trust breaks it all. This approach is insane, and yet, widely accepted as the way things were always done, and will always be done.
If you ever get the chance to use capability based security, otherwise known as the principle of least privilege, or multilevel security, do so.
Know that permission flags in Android, or the UAC crap in Windows, or AppArmor are NOT capability based security.
- Don't take any 3rd party dependencies. Build everything in house instead. Likely only possible in niche areas of government/defence where sky-high budgets intersect with intense scrutiny.
- Manually validate each new version of every dependency in your tree. Also very expensive, complex vulnerabilities will likely still slip through (i.e. things like SPECTRE aren't going to be caught in code review).
- Use firewalls/network security groups/VPC-equivalents to prevent any network traffic that isn't specifically related to the correct operation of your software. Increasingly hard to enforce, as our tech stacks rely on more and more SaaS offerings. Needs a properly staffed network admin to enforce and reduce the pain points on developers.
- Network isolated VMs/containers that can only talk to a dedicated container that handles all network traffic. Imposes odd constraints on software architecture, doesn't play well with SaaS dependencies.
In practice you run with whatever combination of the above you can afford, and hope for the best.
In that sense, isolation for develop to solve supply chain security seems a symptom-treater not a cause-treater.
A more extreme approach is to:
minimize dependencies, built a lot in-house, don't update pre-vetted dependencies before another audit
In general, I think a big dependency chain is useful for getting to PoC quickly (and in some cases it's indeed unavoidable, eg. numpy etc), but in building many simplish web apps and client server applications it's feasible to have a very narrow dependency chain, especially back-end. You can even do this front-end if you eschew framework stuff.
The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]
Container SBOMs can be generated with syft and grype [3] [4]
[1] https://github.com/CycloneDX
[2] https://github.com/DependencyTrack
Related
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum
A threat actor is selling an unverified npm vulnerability for account takeover on BreachForums. npm has not confirmed the vulnerability. The dark web forum's reputation for cybercrime raises doubts. npm Registry is a prime target for attacks, emphasizing the need for security measures like enabling 2FA and code review.
Projects considered harmful – Part 1
Software development projects often prioritize time and budget over quality, leading to compromised dependability. Project managers focus on meeting objectives, neglecting software quality. Reevaluating project management practices is crucial for software dependability.
Ask HN: Should a risk assessment list all dependent tools?
The Crowdstrike incident highlights the need for IT analysts to effectively communicate third-party service risks to leadership, advocating for structured risk assessments to inform decision-making on risk management strategies.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.
Public JavaScript CDNs are useless and dangerous
Reliance on public CDNs is problematic due to security, privacy, and reliability issues. Self-hosting dependencies and private caching CDNs are recommended to enhance control and performance while mitigating risks.