New guidance on software supply chain attacks


The OpenSSF is a great organisation that is definitely operating under full steam — they are making some serious progress on corralling the wild west of development repositories like npm, RubyGems, and PyPI.

The trick, of course, is going to be to get developers to go along with the best security practices, like two-factor authentication for project pushes. We also need to figure out how to get CI/CD pipelines to distinguish between critical “fix this gaping security hole now” updates and malicious “install my cryptominer now” updates to squatted or hijacked packages.

That’s going to be a challenge, since we can’t load up all the responsibility for security on volunteer developers, and we also need to be able to move quickly on critical updates while simultaneously being judicious with updates to production.