Ask HN: How do you defend against supply chain attacks today?

5•elric•1h ago

Seems like software supply chain attacks have been increasing in speed, scope, and complexity of late. Especially in NPM and PyPi packages.

How are people defending against this increased threat? Relying on dependency scanners seems way too slow now. Automagically updating to the latest & greatest is likely to include the latest & greatest malware. Auditing every version of every dependency in use is going to be a costly affair.

Comments

tuananh•1h ago

You can setup local proxy registry. set policy for the registry to set cool down period (7-14 days maybe). That will at least limit some of the blast radius

josteinhylin•1h ago

Lol

ggeorgovassilis•48m ago

On two levels: architecture and understanding. Architecture: I divide the solution components of my architecture into two groups: the ones where a security breach spills over their scope and the ones where it doesn't. For the first category (eg. network- or user-facing), dependencies will be limited as much as possible, meaning I'll forgo convenience and features. I'll pick LTS or older versions with no known vulnerabilities. The second category is locked up in containers with minimal connectivity, with on-demand run-time schedules. Understanding: depending on risk and importance, I actually check out a dependency's source code and have an AI review it. Then rebuild and self-host.

Edit: this approach sounds like it could be bundled into a couple of agents.

elric•14m ago

I wasn't expecting any architectural answers when I asked the question (not that I knew what to expect, hence the question), but I'm adding this one to my list of "why architecture matters".

AI Symfony: Build AI-powered applications with PHP components

Seedream47 Is on the Way

Glint of light in therapy for deadly ALS after decades of struggle

China's Grey Market for Cheap Claude Tokens

List of JJ Aliases

The Subaru X-100: The Plane-Shaped Car to Cross the US on a Single Tank of Gas

You can reverse much of the damage alcohol has done to your body, science says

100 million degrees: Step inside the heart of our fusion machine [video]

Marketing Roadmap

Show HN: A simple Claude skin for ChatGPT

Government privatization efforts grow, contractor lawsuits more get difficult

Ask HN: What's the hardest part of building a SaaS that users keep paying for?

Show HN: An opinionated index of AI developer tools

Ctx-opt: TypeScript middleware to trim LLM chats to a token budget

The AI layoffs end in 12 months and I know why [video][10 mins]

Meta's New Reality: Record High Profits. Record Low Morale

Show HN: Ungate – use Claude and GPT subscriptions in Cursor without API costs

Quip Retirement

Show HN: Race to the Bottom

For three years I scoured the world for answers to Europe's big problems

An AI Poop Analysis App Offered to Sell Me Database of Its Users' Poops

Why Can't Writers Seem to Quit Substack?

Remove ML Compatibility (F#)

AI helps man recover $400k in Bitcoin 11 years after

How do we incentivize students not to cheat using AI?

Fate 1.0: An Async React data framework

I started a restaurant and it ruined my life

FCC angers small carriers by helping AT&T and Starlink buy EchoStar spectrum

US Oil Storage Tanks to Run Empty Around July 4, Currie Says [video]

Time-Series Feature Engineering with Python Itertools