| ▲ | zmgsabst 2 hours ago | |||||||||||||
Dev dependencies is how they compromised SolarWinds and thereby most of the US federal government. > The attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. SolarWinds was using build management and continuous integration server TeamCity provided by the Czech company JetBrains. In 2021 The New York Times stated that unknown parties apparently embedded malware in JetBrains' software and through this way compromised also SolarWinds. https://en.wikipedia.org/wiki/2020_United_States_federal_gov... I don’t know what kind of software you write, how valuable your company’s infrastructure is, etc. But supply chain and insider threat in security/infrastructure is a big topic — that I’m sure they’re concerned about because that’s their area of responsibility. Even if I’m personally sympathetic to not wanting to deal with the churn of dev dependency updates. | ||||||||||||||
| ▲ | tempay 2 hours ago | parent | next [-] | |||||||||||||
This is very real, but such CVEs are such a tiny fraction in relation to denial-of-service-due-to-regex that it’s hard to take the system seriously. So far as I’m concerned the solution is to isolate everything as much as possible. I’d love to see something on the CVE classification side to also address the signal to noise problem but I don’t see it happening. | ||||||||||||||
| ||||||||||||||
| ▲ | technion 30 minutes ago | parent | prev [-] | |||||||||||||
Vulnerable dependencies are very different to compromised or backdoored dependencies though. Noone's taking over Solarwinds because their build tools had a ReDOS involving input from their own config files. | ||||||||||||||