Ask HN: How do you defend against supply chain attacks today?

Seems like software supply chain attacks have been increasing in speed, scope, and complexity of late. Especially in NPM and PyPi packages.

How are people defending against this increased threat? Relying on dependency scanners seems way too slow now. Automagically updating to the latest & greatest is likely to include the latest & greatest malware. Auditing every version of every dependency in use is going to be a costly affair.

5 points | by elric 1 hour ago

3 comments

  • ggeorgovassilis 41 minutes ago
    On two levels: architecture and understanding. Architecture: I divide the solution components of my architecture into two groups: the ones where a security breach spills over their scope and the ones where it doesn't. For the first category (eg. network- or user-facing), dependencies will be limited as much as possible, meaning I'll forgo convenience and features. I'll pick LTS or older versions with no known vulnerabilities. The second category is locked up in containers with minimal connectivity, with on-demand run-time schedules. Understanding: depending on risk and importance, I actually check out a dependency's source code and have an AI review it. Then rebuild and self-host.

    Edit: this approach sounds like it could be bundled into a couple of agents.

    [-]
    • elric 7 minutes ago
      I wasn't expecting any architectural answers when I asked the question (not that I knew what to expect, hence the question), but I'm adding this one to my list of "why architecture matters".
  • tuananh 58 minutes ago
    You can setup local proxy registry. set policy for the registry to set cool down period (7-14 days maybe). That will at least limit some of the blast radius
    [-]
  • ShreyashM17 18 minutes ago
    [flagged]