undefined | Better HN

0 pointsYgg24mo ago0 comments

I don't buy this line of reasoning. There are zero/one day vulnerabilities that will get extra time to spread. Also, if everyone switches to the same cooldown, wouldn't this just postpone the discovery of future Shai-Huluds?

I guess the latter point depends on how are Shai-Huluds detected. If they are discovered by downstreams of libraries, or worse users, then it will do nothing.

0 comments

__s4mo ago

There are companies like Helix Guard scanning registries. They advertise static analysis / LLM analysis, but honeypot instances can also install packages & detect certain files like cloud configs being accessed

Yokohiii4mo ago

But relying on the goodwill of commercial sec vendors is it's own infrastructure risk.

limagnolia4mo ago

So don't rely on their goodwill? Instead, pay them, under a contract.. or do it yourself.

perlgeek4mo ago

You can also pay a commercial sec vendor if you don't want to rely on their goodwill.

wavemode4mo ago

Your line of reasoning only makes sense if literally almost all developers in the world adopt cooldowns, and adopt the same cooldown.

That would be a level of mass participation yet unseen by mankind (in anything, much less something as subjective as software development). I think we're fine.

recursive4mo ago

I don't think so. What fraction of developers would even notice the malware? Some malware seems to barely be noticed.

hyperpape4mo ago

For zero/one days, the trick is that you'd pair dependency cooldowns with automatic scanning for vulnerable dependencies.

And in the cases where you have vulnerable dependencies, you'd force update them before the cooldown period had expired, while leaving everything else you can in place.

j / k navigate · click thread line to collapse