Background
How modern software updates itself. Auto-updates from untrusted sources or unverified library pulls can be poisoned.
Questions to ask yourself
- Where do our software updates come from? Are they signed?
- Are we using third-party libraries without pinning versions?
- If our deployment pipeline got compromised, would we know?
- Who has rights to push code to production?
What you can do today
Three habits
Software you trust is software an attacker would like to compromise.
- 01Pin third-party library versions; don't auto-pull the latest.
- 02Limit who can deploy code. Two-person review on production deploys.
- 03If you write code, sign your releases. If you don't, ask vendors how they sign theirs.