Background
How modern software updates itself. Auto-updates from untrusted sources or unverified library pulls can be poisoned — the SolarWinds incident was the famous example.
Questions to ask yourself
- Where do our software updates come from? Are they signed?
- Are we using third-party libraries without pinning versions?
- If our deployment pipeline got compromised, would we know?
- Who has rights to push code to production?
For owners — questions to ask your developer
Questions to ask your developer
Supply chain matters — even if you don't write code.
- 01“Are third-party libraries pinned to specific versions, or do we auto-pull the latest? Pinned is safer.”
- 02“Who has the right to push code to production? Is there two-person review on production deploys?”
- 03“Where do our software updates come from, and how do we verify they haven't been tampered with in transit?”