logoalt Hacker News

madeofpalkyesterday at 10:26 PM2 repliesview on HN

What would be a security measure that should only be selectively enforced?


Replies

ashu1461today at 12:25 AM

There are few ideas which come to my mind, some might be far fetched, taking NPM as an example.

- Restricting packages with similar names as of popular packages restrict expres because express is a popular package.

- Imposing stricter 2FA checks on accounts of authors of these packages.

- Making sure that published packages don't have vulnerabilities and clear npm audit.

- Alerts in case these packages contain a dependency which is new / relatively new.

show 1 reply
toomuchtodoyesterday at 10:28 PM

Higher cost (“Mythos” vs static code analysis) vulnerability scanning prior to successful merge to main branch or deployment as an artifact. As risk increases (popular code->greater exposure potential), increase automated, programmatic scrutiny on subject code to lower residual risk.

(application security and vulnerability management is a component of my work in financial services, thoughts and opinions always my own)