Software supply chain risk management robots


It finally happened to you. A developer used ‘import A’. A pulled in B, B pulled in C, D. D pulled in E… and somewhere along that chain evil lurked. Now all your bits are belong to l33t hackerz.

So like all things in life its time to over-react after the fact (something about a barn door and a horse).

And like all good things in life research ~= google. So you do. And you find… shocking… a set of tools. Sadly language specific, but lets not be greedy.

What these tools do is glom onto your git repo and snoop around. They find a ‘requirements.txt’ etc, parse it. Then they go find those packages, parse them, and so on. A tree is built. And then they watch the vulnerability stream of those upstreams for you. Some even conveniently issue a Pull-Request to your repo when they find an issue for you!

And cuz its (nearly 2019), they all have an API, a freemium business model, and some ‘open-ish’ source on Github.

But, tl;dr: if you are waiting for bad things to happen to good software in production as a means of knowing you have a security issue, maybe you should look at moving it upstream with some auto-security-dependency-tracking. You can maybe merge this with your SAST platform (like Clair).





Leave a Reply

Your email address will not be published. Required fields are marked *