Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Snyk is having a field day with new signups.


Snyk doesn’t address supply chain attacks.

Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point.

Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered. A malicious dependency can be updated, merged, and running in production in days or even hours.

We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.

Disclosure: I started Socket (https://socket.dev) to help solve open source supply chain security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: