How does your company manage open-source dependencies?

3 points by ddadon10 ↗ HN
I am reading more and more about software supply chain security[1][2] and wondering how companies are managing open-source dependencies, especially big corp.

Eg:

- Can you just install any dependency without an audit?

- Does the top management takes those issues seriously?

- Do you have some horror stories to share? (outside Log4j of course)

Would love to have some insight on that, and the company size (number of employees etc)

[1]: https://slsa.dev/

[2]: https://securityscorecards.dev/

1 comment

[ 3.1 ms ] story [ 14.3 ms ] thread
2 engineers at a 4 person startup; we have a list of licenses, the lawyers and auditors told us which licenses are allowed but then we rely on the community to police itself for vulnerabilities.

I would find myself frustrated by any process involving a security team review; the savings are enormous and the scary parts of this problem haven't manifested nearly enough to justify the additional overhead involved.