Ask HN: What are you doing to secure your software supply chain?

2 points by ianpurton ↗ HN
I'm looking to see what tools or techniques people are using during development, in the CI CD pipeline and out into production.

For example would you survive a log4j style attack, and how.

Do you secure development environments against malicious code.

If you do web development how do you know the Javascript in production matches that in development.

3 comments

[ 7.7 ms ] story [ 15.8 ms ] thread
Some of my clients pay to do double review of all dependencies.

Others go as far as distributed deterministic builds to ensure CI/CD systems themselves are not compromised.

Here are the latest public iterations of my recommendations.

https://github.com/talos-systems/rfcs/blob/main/001-software...

Also here are complimentary practices to ensure the production engineers that must have access to CI/CD systems etc don't themselves become a weak link in the supply chain (which happens a -lot-).

https://github.com/hashbang/book/blob/master/content/docs/se...

Shameless plug: My company Distrust (short for Distributed Trust), offers auditing, consulting, and support so companies can avoid single points of failure in their supply chains from third party libs to the hands of end users. Happy to chat with anyone that wants some outside eyes in this area!

What is a double review of dependencies? Is that someone going through the source code of included libraries?
It is. Yeah.

Including third party code is a shortcut so you don't have to write it, but you still have to review it otherwise you are responsible for anything malicious you pass on to your end users.