Dependency Security

Dependency security has always been an important type of attack vectors for computer systems. The antidotes are two in number:

1. audit everything
2. Roll your own

I do not have numbers so this remains an opinion but with the fact that computing systems have massively increased in complexity in mind, it is reasonable to assume that the numbers and topology of dependency trees have grown in size and complexity over time for most software projects. I believe it would not be too difficutlt to find numbers supporting this observation.

Among the ways this manifests itself is the package manager.

npm

Inspired by: How to protect yourself from npm – Timo Tijhof

Installing node packages basically means giving each and every package access to your computer.

Timo here also mentions the fact that Debian/Ubuntu’s apt repos and Mac’s brew repos are peer reviewed, a fact that does not apply to npm packages. This same problem is also mentioned to apply to PyPI (python) and Packagist (composer).

However, it is argued that the scale of npm in sheer numbers make it a larger problem. The tendency for npm packages to have many dependencies, more so than for python and php, is also mentioned. He writes that the average npm package has 86 deps. That is to say the least, extreme.

• We’re drowning | snarfed.org

Antidotes

• Isolation: use containers or VMs
• Reduce number of dependencies we use

For isolation Timo uses his own script to create and dispose of temp docker containers: wikimedia/fresh.

Links

• There is no secure software supply-chain. | John McBride