A thought on security risks associated with code inheritance and supply chain security risks
The article below highlights a very interesting risk associated with Source Code Management.
https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/?td=rt-3a
This is not the first time that a developer has purposely made changes to code which have caused issues with either service availability and/or data integrity.
What stands these 2 issues apart from the supply-chain vulnerabilities such as the recent SolarWinds issue, is that rather than a 3rd party compromising the source code used in a product, in the above two cases, it is the code owner themselves who have purposely made destructive changes
Key to my message is the criticality of source code management, coupled with testing (eg. auto-regression testing as part of CI/CD). It speaks strongly to the importance of careful analysis of code/package inheritance, especially when working with opensource projects and code.
Fun Reading …
If you’ve not read the following article … when you’ve a few minutes and a nice fresh coffee – I’d strongly (like my cheeky use of the HTML <strong> tag there ? ) recommend reading https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Written in 1984, it resonates as strongly today as it did when I first read it in the late 80’s / early 90’s !!!
Original Post
This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here – https://www.linkedin.com/pulse/importance-source-code-management-andrew-barnes