undefined | Better HN

0 pointstompazourek4y ago0 comments

This is a double edged sword.

Because on one hand, you do pick up hotfix patches, but on the other hand, you are possibly bit more exposed to supply chain attacks.

Any ideas on how to balance that out? Or should we just not consider supply chain attacks to be a real threat?

0 comments

Mirror the upstream, and as part of mirroring, do an automated security analysis of your dependencies.

Sandbox your dependencies.

Run automated security vulnerability testing on your program, looking for rogue behaviour.

Require code signatures on dependencies.

Identity security critical components and audit them.

j / k navigate · click thread line to collapse