1

It took only one DLL, the SolarWinds.Orion.Core.BusinessLayer.dll, to bring so many companies to the knees. To be more precise, just a couple lines of code in the single DLL.

In today's cloud-native application development, a single microservice (e.g., spring boot jar) can easily be dependent on more than 100 libraries - how can one ensure that none of these libraries are compromised?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nathan Aw
  • 1
  • 7
  • 12
  • 1
    that would fall under "supply chain attack", I cannot tell you an answer but thats a good term to do a web search on. – The Fool Feb 10 '21 at 17:02
  • 1
    In my opinion, you should audit every single package. If you work for a company there should be a review and approval process for each new dependency. – The Fool Feb 10 '21 at 17:03
  • 1
    This is like asking: "an OS consists of 100's of programs and libraries. How to make sure that none of this is compromised". The answer is to a) reduce dependencies if possible b) audit code if possible c) only get libraries from trusted vendors and d) accept that there is still a remaining risk and either accept it or invest more resources into a),b) and c). It's not that different from shopping groceries - there is always the chance that some food is infected so one usually checks the food, prefers "good" supermarkets - and accepts the remaining risks. – Steffen Ullrich Feb 10 '21 at 17:08
  • it does to a certain degree – Nathan Aw Feb 23 '21 at 00:52

0 Answers0