We all had that friend back in the day, who’s PC was always infected with some sort of cancer due to their use of sharing hubs like LimeWire, BearShare, Kazaa, etc. And you always felt just a little bit superior for knowing where your software came from.
Now, you are employed, professionaly. You are a fullstack developer, DevOps, Agile, the whole jam of what is ‘hot’ in IT today. Secretly you can’t believe they pay you to do this! And you got there because you were able to just ‘docker run X’, or ‘maven’ or ‘go import’. You directly use the upstream repo of giants. And now you are starting to see what I mean, the penny is dropping. Is ‘github’, ‘dockerhub’, ‘maven’, ‘pypi’, ‘go’, really any different than LimeWire? Well yes, but… the same thing can happen. Is that repo you are using kept religiously up to date for security? Is it signed? How well do they maintain their GPG private keys for signing? What about their upstreams?
Now, I am one of the worlds biggest OSS fans, so don’t think I am suggesting that somehow this is an OSS issue. Its not. Its just, you might be bringing more into your corporate firewall or cloud environment than you think when you do that ‘docker pull’. You have some onus on you, some risk to watch, understand, manage. Risk is a tool, zero-risk is too expensive, high risk with low reward is a fools bargain. Unknown risk is … risky.
Do you have a strategy to manage & understand this risk? There are tools to scan during your development cycle (‘Application Security’). But there are not much tools in terms of fire-walling your app off from itself, all of its decomposed pieces. And maybe that’s something we need more of.