undefined | Better HN

0 pointsOutOfHere1mo ago0 comments

> The practical fix for the first problem is pinning to a full commit hash instead of a tag name

If the underlying project in turn uses named tags, i.e. if the hash pinning doesn't apply transitively, then the protection appears incomplete, doesn't it?

0 comments

Rial_Labs1mo ago

Correct. As an attacker you just move one level deeper.

If the target pins their direct actions to commit hashes you compromise a dependency of the action instead. They pinned the top of the tree but you own something in the middle of it.

SolarWinds was not attacked directly. The attackers compromised Orion, a build tool SolarWinds depended on. SolarWinds had decent security on their own code. It did not matter because the attack came through a dependency they trusted and did not control.

The defender has to secure the entire chain. The attacker only has to find one weak link anywhere in it. That asymmetry is why supply chain attacks keep working.

j / k navigate · click thread line to collapse

0 comments

Rial_Labs1mo ago

Correct. As an attacker you just move one level deeper.

If the target pins their direct actions to commit hashes you compromise a dependency of the action instead. They pinned the top of the tree but you own something in the middle of it.

The defender has to secure the entire chain. The attacker only has to find one weak link anywhere in it. That asymmetry is why supply chain attacks keep working.

j / k navigate · click thread line to collapse