HackerTrans
TopNewTrendsCommentsPastAskShowJobs

livealight

no profile record

Submissions

State of the Software Supply Chain (2024)

sonatype.com
1 points·by livealight·2 năm trước·0 comments

Show HN: Kuvastin – An E Ink art piece that displays AI art from Google cal

turunen.dev
5 points·by livealight·3 năm trước·2 comments

The Cyber Resilience Act Threatens the Future of Open Source

devops.com
4 points·by livealight·3 năm trước·0 comments

BOM Doctor: Visualise and Patch Java SBOMS

bomdoctor.sonatype.com
1 points·by livealight·3 năm trước·0 comments

8th State of the Software Supply Chain Report

sonatype.com
1 points·by livealight·4 năm trước·0 comments

Check your gems: RubyGems fixes unauthorized package takeover bug

bleepingcomputer.com
2 points·by livealight·4 năm trước·0 comments

[untitled]

1 points·by livealight·4 năm trước·0 comments

PyPI, NuGet, NPM Flooded with Roblox and Fortnite Spam: Why?

blog.sonatype.com
2 points·by livealight·4 năm trước·0 comments

Log4shell by the numbers- Why did CVE-2021-44228 set the Internet on Fire?

blog.sonatype.com
1 points·by livealight·5 năm trước·0 comments

State of the Software Supply Chain 2021

sonatype.com
15 points·by livealight·5 năm trước·13 comments

Improving Open-Source Software Security for Java Developers

hackernoon.com
1 points·by livealight·5 năm trước·0 comments

comments

livealight
·3 năm trước·discuss
Very neat! Did a similar project with AI generated images. Fun for days with this kind of cheap hardware!
livealight
·3 năm trước·discuss
Thanks! It definitely passed the weekend well - do share if you end up building it!
livealight
·3 năm trước·discuss
It let log4j pass for as long as it was known to be good. Within hours of the CVE opening the tool was blocking it. The purpose of dependency firewalls is to avoid two things: known badly vulnerable packages AND known malicious packages that serve no other purpose than to steal data or drop a trojan. No security is 100% bulletproof, but it's really surprising how much of the damage is done by 7 year old CVEs. Firewalls can be useful in exactly that.
livealight
·3 năm trước·discuss
This exact same sentiment came through in the National Cyber Security Strategy the US released. It describes a minimum acceptable level of software development, called safe harbours, based on e.g. the NIST Secure Development Standards.

Whether we like it or not, it seems legislation is forming on how to code and ship software.

https://www.whitehouse.gov/briefing-room/statements-releases...
livealight
·5 năm trước·discuss
Nexus Lifecycle / Nexus Auditor tends to be useful for this - in absence of a package.json it crawls the raw js files and finds their source. It can help figure out things like embedded jqueries etc. That being said, it has the same limitation as other tools - minification and bundling obfuscates origins and makes it harder to assign identity to the source package.

The only way that I can think of getting around this is to have a hard requirement for a source registry - or asking the premium plugin producers to produce a SBOM like cyclonedx or spdx and evaluate that in lieu.
livealight
·5 năm trước·discuss
insert obligatory node_modules joke here
livealight
·5 năm trước·discuss
Yeah oddly the outcome of MTTU is a maintained transitive tree seems to be a better indicator of security status than any other more complex framework. How to do it effectively is a matter on to itself
livealight
·5 năm trước·discuss
Lift works well - http://lift.sonatype.com
livealight
·5 năm trước·discuss
seems to work now