undefined | Better HN

0 pointsTheRealDunkirk3y ago0 comments

If "your IT team" has merely created a snapshot of an external repo, how is this any more "secure?" I've asked a similar question below. I really want to understand the thinking here. No IT department is going to go line-by-line through all the packages in "artificatory" or Ruby gems or NPM packages or NuGet's repo, checking them all against known vulnerabilities. No one's going to vet the actual code. If there's a public advisory for one of the packages, the parent repo is going to fix it first, and the internal repo may already be compromised, and the "IT team" is going to have to duplicate the work that the repo runners are already doing, and do it slower. I'm lost here.

0 comments

slt20213y ago

there are IT security vendors that provide static code analysis and scanning for known signatures, that can detect and block malicious packages. Just target SCA at local artifactory and this will be a solved problem. CISO just needs to buy solution and IT admins just needs to deploy that software once and it will keep scanning. Absolutely no extra work from meatbags is required

richbell3y ago

> Absolutely no extra work from meatbags is require

Unfortunately this is rarely true in practice. There is always some degree of friction or error that ought to be managed; ignoring it is how shadow IT proliferates, e.g. a dev is tired of their builds failing due to a false positive and decides to circumvent artifactory altogether.

You're spot-on otherwise.

TheRealDunkirkOP3y ago

So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

It seems that Microsoft has built an internal tool that runs such a scan on NuGet (https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packa...), at least against your individual app's packages. (That would be a very rare h/t to Microsoft from me.)

EDIT: Apparently, you can also do this with npm packages (https://docs.npmjs.com/auditing-package-dependencies-for-sec...). I don't see any facility to do this with Ruby gems.

It looks like the common practice would be to outsource the issue database to GitHub, and let whatever scanner you're using cross-reference that list?

What happens when it finds a reported problem? Does it automatically delete that mirrored package, and/or block it from being downloaded or used from the on-prem repo?

This is all new to me, and has helped put this in context, but what actual software are you talking about using for analysis?

EDIT EDIT: Running `yarn audit` in my main Rails app (just using webpacker to bundle the JS):

    97 vulnerabilities found - Packages audited: 1074
    Severity: 2 Low | 34 Moderate | 52 High | 9 Critical

I just did a `yarn upgrade` about a week ago, so it's not like I'm completely out of date. What would a centrally-managed SCA do about this situation?

richbell3y ago

> So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

I could talk at length about this; unfortunately, I'm on my phone with a shotty connection.

The tl;dr is that companies like Snyk make money by requiring companies to pay to check for vulnerabilities once they've been downloaded. There's not necessarily anything wrong with that, but a philanthropic company could make things significantly safer for everyone if they weren't concerned about making money. Initiatives like the OSSF will hopefully have a positive impact, for this reason.

1 more reply

j / k navigate · click thread line to collapse

0 comments

slt20213y ago

richbell3y ago

> Absolutely no extra work from meatbags is require

You're spot-on otherwise.

TheRealDunkirkOP3y ago

So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

EDIT: Apparently, you can also do this with npm packages (https://docs.npmjs.com/auditing-package-dependencies-for-sec...). I don't see any facility to do this with Ruby gems.

It looks like the common practice would be to outsource the issue database to GitHub, and let whatever scanner you're using cross-reference that list?

What happens when it finds a reported problem? Does it automatically delete that mirrored package, and/or block it from being downloaded or used from the on-prem repo?

This is all new to me, and has helped put this in context, but what actual software are you talking about using for analysis?

EDIT EDIT: Running `yarn audit` in my main Rails app (just using webpacker to bundle the JS):

    97 vulnerabilities found - Packages audited: 1074
    Severity: 2 Low | 34 Moderate | 52 High | 9 Critical

I just did a `yarn upgrade` about a week ago, so it's not like I'm completely out of date. What would a centrally-managed SCA do about this situation?

richbell3y ago

> So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

I could talk at length about this; unfortunately, I'm on my phone with a shotty connection.

1 more reply

j / k navigate · click thread line to collapse