October 12, 2022 at 12:00 am
Comments posted to this topic are about the item Code Supply Chain Security
October 12, 2022 at 3:06 pm
Thank you very much, Steve, for this article. And especially for the links you've provided to help developers better secure their software. I've been looking for something like this for a long time, so I greatly appreciate it.
Kindest Regards, Rod Connect with me on LinkedIn.
October 13, 2022 at 5:07 pm
Many of our applications are put in Docker containers. These containers are scanned using Trivy , which catches a frightening number of items. We also use scanners on our Docker build process itself to ensure that we are not introducing vulnerabilities through other means.
The choice as to how current to keep patching levels is a trade off.
Damned if you do, damned if you don't.
For data pipeline applications we think carefully about what we need and whether we can reduce the number of dependencies. Something like MiniConda for Python is convenient for experimentation but stuffed with far more dependencies than I'd ever need for production code.
Another pain point is the escalation process (the lack thereof) for vendor software. If we find a vulnerability it can feel a thankless task reporting it. In some cases we find unpatched vulnerabilities that are years old.
I think we've all seen applications that require an SA login, and worse, a hard-coded SA password.
Now more than ever we need multi-factor-authentication for our corporate applications, and to access our workstations. The peace of mind outweighs the minor inconvenience.
I think we have a way to go before supply chain attack has the prominence it deserves.
October 18, 2022 at 3:06 pm
I think this is likely to become more of an issue in the future. Hopefully, we find some better solutions that don't dampen the enthusiasm for using OSS stuff in corporate work.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply