Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point.
Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered.
A malicious dependency can be updated, merged, and running in production in days or even hours.
We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.
Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point. Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered.
A malicious dependency can be updated, merged, and running in production in days or even hours. We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.
And thanks for the WebTorrent love!