Comment by irishcoffee

2 days ago

> unless you work for a government contractor where they have strict security policies

... So you're saying there is a blueprint for mitigating this already, and it just isn't followed?

7 comments

irishcoffee

Reply
parliament32  2 days ago

Yes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved.

  • bigfatkitten  1 day ago

    Doesn't even require that many people. The analysis can mostly be automated, and the request process can be handled via peer review. Having one or two people for every 100-200 developers who can give sensible advice, provide some general oversight of what's going on, and step in to say 'no' occasionally does help though.

    Also means you can put an end to a popular antipattern that has grown in recent years: letting your production infrastructure talk to whatever it likes to download whatever it likes from the Internet.

    • blincoln  7 hours ago

      I'd be curious how many of today's automatic package validation tools or peer review processes would have caught the lotusbail package discussed in the article. The malicious aspects were heavily obfuscated, and it worked as advertised.

  • irishcoffee  2 days ago

    > Yes, but it requires people.

    I've heard rumor of a few 100k people laid off in tech over the past few years that might be interested.

    • ThunderSizzle  2 days ago

      Whose gonna pay for it? The companies that laid off those people? They'll just continue on without worrying.