DEV Community


Posted on

How do we improve the suply chain security

  • Having a validated list of components and software sources
  • Using automatic processes to build it, less people, more services/machines
  • Having regular software security checks and reports
  • Having regular automatic vulnerability checks for every process
  • Having clear what is a vulnerability or not
  • Having a list of authoring and manufacturing authors, so we know exactly where that piece of software/hardware came from
  • Restricting, analyzing and controlling the use of third-party software and services
  • Reporting the vulnerabilities, describing exactly what they are and what are it's consequences
  • Knowing where all your product dependencies come from
  • Documenting everything, what OS did we use, the compiler, the IDE version, languages, packages versions, everything!
  • Automating everything
  • Using signed software
  • Being fast, solving the reported vulnerabilities as soon as we can, before they are exploited
  • In 2017, an exploit would take 2 days to be made public and used against us, now, it takes only 2 seconds
  • Re-thinking our trust levels
  • Being careful with the opensourse software we use, not using software isn't being maintained and can't provide regular updates and has security policies, dependencies lists and valid licenses
  • Writing clean code
  • Testing the dependencies
  • Throwing exceptions when we are supposed to
  • Writing clean and useful error messages
  • Having code reviews
  • Not making public, code that disables security checking, and not consuming software that has those embedded "features"
  • Not turning off the security features on the OS
  • Reading the documentation of what we want to use, before trying to use it

What if we are contributing to open source

  • Take the above list in consideration and make it safer

Discussion (0)