Some observations on the SolarWinds supply chain attack, now that I'm all caught up!
Just a rundown of what I learned - citations included, all opinions my own 😄 /1 (If you're looking for an overview of the situation, check out this 101:

https://twitter.com/KimZetter/status/1338389130951061504

, a more detailed article: krebsonsecurity.com/2020/12/solarw… or the get all the deets in the original FireEye blog: fireeye.com/blog/threat-re….) /2

What's relevant to security? You should read the ✨awesome 30-page security report✨ but here's what caught my eye:

65-94% of active repos rely on open source software. The variance is by ecosystem, but basically, your code is more someone else's than your own. /1

https://twitter.com/nicolefv/status/1334652542123343872

Even though you might have a small number of direct dependencies, you likely have a HUGE number of transitive (indirect) dependencies.

A JavaScript repo has a median 683 transitive dependencies! /2

TL;DR: Security folks - consider using allow/denylist instead of white/blacklist, and just allow/deny when a verb or in the UI.

Read on for more observations...

https://twitter.com/MayaKaczorowski/status/1270871807466209280

I initially failed to explain why you should consider replacing white/blacklist.

(1) It's implicitly biased language - based on the colour, you know what's "good" and "bad". Though the etymology is not racist, it promotes implicit bias.

So, earlier today, Google published a whitepaper on 🌟BeyondProd🌟, about how Google does cloud-native security. Here’s a summary thread /1 As much as you’ve been ask “what is cloud-native?”, I’ve been asked “how do I secure it?”. Google deploys billions of containers a week, and does so securely /2