Notes on Addressing Supply Chain Vulnerabilities

One of the unsung achievements of modern software development is the degree to which it has become componentized not that long ago when you wanted to write a piece of software you had to write pretty much the whole thing using whatever tools were provided by the language you were writing in maybe with a few specialized libraries like OpenSSL. No longer. The combination of newer languages Open Source development and easy-to-use package management systems like JavaScript8217s npm or Rust8217s Cargocrates.io has revolutionized how people write software making it standard practice to pull in third party libraries even for the simplest tasks it8217s not at all uncommon for programs to depend on hundreds or thousands of third party packages.

While this new paradigm has revolutionized software development it has also greatly increased the risk of supply chain attacks in which an attacker compromises one of your dependencies and through that your software.1 A famous example of this is provided by the 2018 compromise of the event-stream package to steal Bitcoin from people8217s computers. The Register8217s brief history provides a sense of the scale of the problem.

...

Read Full Post

News Link: https://blog.mozilla.org/blog/2021/02/27/notes-on-addressing-supply-chain-vulnerabilities/.
RSS Link: https://blog.mozilla.org/feed/.

Linux Chatter is a news aggregator service that curates some of the best Linux, Cloud, Technical Guides, Hardware and Security news. We display just enough content from the original post to spark your interest. If you like the topic, then click on the 'read full post' button to visit the author's website. Use Linux Chatter to find content from amazing authors!

Note: The content provided has been modified and is not displayed as intended by the author. Any trademarks, copyrights and rights remain with the source.

Disclaimer: Linux Chatter sources content from RSS feeds and personal content submissions. The views and opinions expressed in these articles are those of the authors and do not necessarily reflect those of Linux Chatter.