Isaac LymanApr 2

I know this is heresy, and I'm not a security researcher, but given the relatively low bar to categorize a CVE as high or critical* and the proliferation of supply chain attacks, I'm starting to wonder if the risks of staying constantly up to date are greater than the risks of letting packages get obsolete.

Thoughts?

*More than half the CVEs I see don't apply to the most mainstream use cases.

#DevOps #security #infosec #cybersecurity

Show threadMalick

@isaaclyman You’re actually hitting on a very real dilemma. It’s not heresy; it’s a survival instinct. With 'Software Supply Chain Failures' (OWASP A03) becoming a top-tier threat, blind updates are genuinely scary.

The problem is the sheer scale we're seeing this year. We’re hit with over 130 new CVEs every single day, and AI-driven reconnaissance has shrunk the window to find an open flank from days to minutes. We’re essentially stuck in a 'Security Paradox': Updating might compromise your supply chain, but staying obsolete makes you a sitting duck for bots that find you in seconds. There’s no easy win anymore I guess 🫠

Apr 2 at 3:53pmWeb
Show threadRyan @ Ansible Games & CDFApr 2
@malick @isaaclyman agreed there are no easy wins. The node package ecosystem is fraught with supply chain risk due to the ease and rapid growth of the tree. Python in a similar problem space. Package maintainers need to invest in reducing the overall depth of the dependency tree (less surface area for attacks) and commercial consumers should be supporting this. Software teams should also be looking at developing more of their own code vs reaching for imports by default (security libs excepted)
Show threadRyan @ Ansible Games & CDFApr 2
@malick @isaaclyman I see it as a responsibility of CTOs, CIOs, and CISOs to be fierce advocates for investing in the dependencies that run the business. The math of shoring up posture before the next supply chain attack easily outweighs the impact of a breach. When industry-wide packages like axios are compromised... hard to argue a commercial consumer shouldn't be using that or could have done anything but upgrade versions more slowly, which is the dilemma you mentioned.
Show threadMalickApr 2
@ansiblegames @isaaclyman u're absolutely right... What you're advocating for is actually becoming a compliance standard. The ISO/IEC 27001 (especially the 2022 revision) explicitly demands top management responsibility and strict control over the ICT supply chain (including software dependencies). It's not just best practice anymore, it's mandatory. Have to run, but great discussion!