With the recent high-profile supply chain attacks, my CTO is asking for a "Zero Trust" approach to our dependencies. We have thousands of NPM and Maven packages. Are you actually auditing every version update, or are you relying on automated tools like Snyk or Dependabot to do the heavy lifting?
3 answers
We moved beyond just using Dependabot. We now maintain a "Private Artifactory" mirror where every new package version must pass a security scan before it's available for developers to download. We also started signing our builds using Sigstore/Cosign. It adds friction to the dev process, but it's the only way to ensure that what we deploy is exactly what we built. If an automated tool like Snyk flags a "Critical" vulnerability, our pipeline automatically blocks the production merge. It's tough, but "trust but verify" is no longer enough.
Do you find that your developers are getting "vulnerability fatigue" from all the automated alerts, and how do you prioritize what actually needs a fix?
We simply pinned all versions and only update quarterly after a manual review. It's slow, but it's the only way we feel safe in our fintech environment.
Quarterly might be too slow for zero-day exploits, Michelle. We prefer the "Automated but Monitored" approach. If a patch is released for a CVE, we want it in within 48 hours.
Daniel, the fatigue is real. We implemented a "Reachability Analysis" tool. It tells us not just if a library is vulnerable, but if our code actually calls the vulnerable function. This reduced our "to-fix" list by 60%. We also hold a monthly "Security Guild" meeting where we discuss the top threats. This keeps the team engaged and helps them understand that security isn't just a checklist—it's part of the code's quality.