2 Lenses for Examining the Safety of Open Source Software
darkreading.com
Open source repositories — such as Python's PyPI, the Maven Java repository, and the Node Package Manager (npm) for JavaScript — typically have a skeleton crew of engineers and volunteers to manage and secure the infrastructure. The volume of malicious users and projects being created on these platforms everyday is fast outpacing security review teams' capacity to keep up.
The focus on the security of repositories mirrors the increasing attention that the software supply chain has garnered from attackers, says Tim Mackey, head of software supply chain risk strategy at software integrity firm Synopsys.
"If I'm an attacker, and I want to go and compromise, say, a JavaScript application, or a Python application at scale, then the best way for me to do that is to somehow gain control over meaningful elements of the repository," he says. "So, if I'm a development ...
Copyright of this story solely belongs to darkreading.com . To see the full text click HERE