One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8348577 |
| Date de publication | 2023-06-23 12:03:59 (vue: 2023-06-23 17:06:55) |
| Titre | Sécurité de la chaîne d'approvisionnement pour GO, partie 2: dépendances compromises Supply chain security for Go, Part 2: Compromised dependencies |
| Texte | Julie Qiu, Go Security & Reliability, and Roger Ng, Google Open Source Security Team“Secure your dependencies”-it\'s the new supply chain mantra. With attacks targeting software supply chains sharply rising, open source developers need to monitor and judge the risks of the projects they rely on. Our previous installment of the Supply chain security for Go series shared the ecosystem tools available to Go developers to manage their dependencies and vulnerabilities. This second installment describes the ways that Go helps you trust the integrity of a Go package. Go has built-in protections against three major ways packages can be compromised before reaching you: A new, malicious version of your dependency is publishedA package is withdrawn from the ecosystemA malicious file is substituted for a currently used version of your dependencyIn this blog post we look at real-world scenarios of each situation and show how Go helps protect you from similar attac |
| Envoyé | Oui |
| Condensat | go this go the 2016 2018 2022 256 about access action added adopted affect after against all also any append approach are around attack attacker attacks authenticity author automatically availability availabilityin available backed because been before being binary blog broken build builds built but cached call can case certificate chain chains change check checks checksum chooses claimed code command community compromise compromised confidence confusion contributor control copy could cryptocurrency currently cycle database december defaultthe delete deleted dependencies dependencies” dependency dependencyin describes design detected develop developer developers development diagnose did didn directly disagreement disappearance disappearing discuss don downloaded downloads each earlier ecosystem ecosystema ensures ensuring environment even event every evident executing expect: explicitly fetched fetching file final first fix fixing flatmap found from front functionality future gain github given global going google got guarantees had happen harder has hashes have helps hijack hijacked his host hours how i/o implementation impossible included index indirect indirectly information install installed installment instead integration integrity integrityin investigate its javascript judge julie kinds know knowing largest lawyers left left” libraries license life like list log login logs look made maintainer major malicious maliciously manage mantra many match meaning means million mirror missing modify module modules monitor month months moving must name named names namespace namespaces need new newly nightly not npm one only open opportunity origin original out over owner package packages pad part pass passed patent peek performing pip poses possible post previous production project projects protect protections protects publicly published publisheda pulled purposefully pypi pytorch qiu quality question ran rather reaching real recent released reliability rely reproducible requested requests restore return review rising risks roger same scenarios scrambling second secure security see seemed series served servers serves services sha shared sharply shipped show similar simply since situation small sneak software some something source sources specific standard steal stream substituted such supply supports take talk tamper targeting team team“secure than thanks these three time times took tools torchtriton transparency transparent tree trillian trust trustworthy two unaware unclaimed uncorrupted under unprecedented until unused updates upgrade uploaded upstream used users values variables verificationhow verified verifies version versionsin vulnerabilities wake ways what when which who will withdrawn within without world worry would you: a your “pinning” “shift |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.