Please leave your details and we'll let you know when it's up and ready to use.
Even simple projects have a way of ballooning quickly and that tendency is amplified by the ease of incorporating existing pieces of code or node libraries.
It is still somewhat manageable when you are the only one writing that code, but it becomes harder when code is written by a number of developers and teams, as is the case normally.
Even the team lead, the one in charge of approving all pull requests, can not know every line of code, every function, and every variable.
That’s one of the reasons the minor code change that took place in the Orion app in late 2020, in the case later known as SolarWinds, went undetected for so long. The entire change was only a few dozen lines of code, and they were very well concealed inside the original class.
The changed product was properly signed, so there was no reason to suspect it, and development teams trusted the owner of the code.
Only recently we’ve learned that NPM had a “logical flaw” that enabled malicious actors to pass off rogue libraries as legitimate. Basically, NPM allowed adding anyone as a maintainer of a package without notifying these users or getting their consent.
This enabled creating malware-laced packages and assigning them to trusted, popular maintainers without their knowledge. A case of misplaced trust could mean a problematic vulnerability hidden in your code.
Another common practice to consider is developers copying and pasting code from existing libraries or StackOverFlow for use in their own code or to reupload to new libraries. Doing that raises the chance of also copying insecure and vulnerable code that is now essentially untracked. Even if the original code will get a CVE and eventually remediation, the problematic function you copied is invisible and could contaminate any codebase that would use it for years to come.
In a recent study conducted at the University of Kansas (“What the Fork? Finding Hidden Code Clones in npm”), the researchers illustrate how using even fully vetted packages can be unsafe.
So, you cannot trust the signed products and updates of vendors. Your very own code might have already been modified or added to, due to all those external libraries and code incorporated into it. What, then, can you do to really be certain you are not installing malicious files into your system?
There are 2 things you can do:
Following new regulations, most people are expected to start using SBOMs in the very near future. The more companies will ask for SBOMs and other attestations, the more organizations and maintainers will have to comply.
Barak Brudo / June 20, 2022