A supply chain attack is when one or more of the dependencies in your application have been compromised, and some “bad code “is running on your systems and applications that is intended to harm you. These kinds of attacks are becoming more common and more sophisticated.
Most programming environments that offer a form of dependency manager have a locking mechanism in place. The manager allows to specify what kind of version should is used. And stores the version along with a checksum/cryptographic hash in a sometimes-called lockfile.
These lockfiles are essential to keeping applications safe from supply chain attacks. If the remote code changes but the same version number is used, you will get a checksum mismatch.
No matter if you update dependencies by hand or use tools like Dependabot or Renovate. You must review the changes to ensure the functionality is as you expect and the new code does not introduce any malware or obvious bad intentions. Simply updating and not checking is dangerous and circumvents the whole system.
How do you spot bad” intentions? Some ideas:
- the change introduces a new dependency,
- changes to pre/post-install hooks of the dependency manager,
- introduces cryptic code that is unclear
- downloads stuff from the internet all of a sudden.
How often should you update your dependencies?
There are two strong opposing approaches to updating software and dependencies.
The first approach you constantly update everything to stay on the bleeding edge. The second one is you update only when there is a necessity. Otherwise, never touch it.
What is the best way?
It depends on the environment and the company, how many people how many systems and moving parts they have. A good rule of thumb is to keep things up to date “enough,” so it is easy to get it done during an emergency security update. You don’t need to spend days or weeks fixing stuff.
What do you think? Let me know at andy@occamslabs.com
Andreas likes security, enabling teams to ship secure products and coffee.