Software Development

How are you securing the Software Supply Chain after the latest breaches?

CH Asked by Christina Moore · 20-05-2023
0 upvotes 13,788 views 0 comments
The question

With the recent high-profile supply chain attacks, my CTO is asking for a "Zero Trust" approach to our dependencies. We have thousands of NPM and Maven packages. Are you actually auditing every version update, or are you relying on automated tools like Snyk or Dependabot to do the heavy lifting? 

3 answers

0
SH
Answered on 28-05-2023

We moved beyond just using Dependabot. We now maintain a "Private Artifactory" mirror where every new package version must pass a security scan before it's available for developers to download. We also started signing our builds using Sigstore/Cosign. It adds friction to the dev process, but it's the only way to ensure that what we deploy is exactly what we built. If an automated tool like Snyk flags a "Critical" vulnerability, our pipeline automatically blocks the production merge. It's tough, but "trust but verify" is no longer enough. 

0
DA
Answered on 05-06-2023

Do you find that your developers are getting "vulnerability fatigue" from all the automated alerts, and how do you prioritize what actually needs a fix? 

LA 10-06-2023

Daniel, the fatigue is real. We implemented a "Reachability Analysis" tool. It tells us not just if a library is vulnerable, but if our code actually calls the vulnerable function. This reduced our "to-fix" list by 60%. We also hold a monthly "Security Guild" meeting where we discuss the top threats. This keeps the team engaged and helps them understand that security isn't just a checklist—it's part of the code's quality.

0
M
Answered on 15-06-2023

We simply pinned all versions and only update quarterly after a manual review. It's slow, but it's the only way we feel safe in our fintech environment.

CH 18-06-2023

Quarterly might be too slow for zero-day exploits, Michelle. We prefer the "Automated but Monitored" approach. If a patch is released for a CVE, we want it in within 48 hours.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session