Ask HN: How do you defend against supply chain attacks today?
5 pointsby elric6 hours ago3 comments
  • ggeorgovassilis5 hours ago
    On two levels: architecture and understanding. Architecture: I divide the solution components of my architecture into two groups: the ones where a security breach spills over their scope and the ones where it doesn't. For the first category (eg. network- or user-facing), dependencies will be limited as much as possible, meaning I'll forgo convenience and features. I'll pick LTS or older versions with no known vulnerabilities. The second category is locked up in containers with minimal connectivity, with on-demand run-time schedules. Understanding: depending on risk and importance, I actually check out a dependency's source code and have an AI review it. Then rebuild and self-host.

    Edit: this approach sounds like it could be bundled into a couple of agents.

    • elric5 hours ago
      I wasn't expecting any architectural answers when I asked the question (not that I knew what to expect, hence the question), but I'm adding this one to my list of "why architecture matters".
  • tuananh6 hours ago
    You can setup local proxy registry. set policy for the registry to set cool down period (7-14 days maybe). That will at least limit some of the blast radius
  • ShreyashM175 hours ago
    [flagged]