Dependency Confusion 🤔

Feb 12, 2021 9:00 pm

Hey there,

Today I'm going to mix things up a bit. I've been consumed with a bunch of riveting things like tax season and moving to a new bank after finding out mine is closing. I didn't really think banks closed anymore, but there you go!

My attention is focused right now on the little things that teams do habitually that help them get better success, especially as it pertains to security.

There's an article running around about a guy who used, "Typosquatting" as an attack to basically get into almost all of the FAANG companies and more. In a nutshell, he exploited package managers and bad practices around them. The way it works is he would look through public libraries or GitHub repos for some specific clues like internal packages. Then he would publish the same-named package publically. When software needed to pull its package down, it would have to make a choice and almost every package manager chooses public instead of internal.

This simple thing allowed his code to wind up on internal systems all over. Now he did all this with the permission of companies and worked with everyone to resolve the issues.

So what does this have to do with small habits? Well, many developers are quick to find libraries and tools to help them in their projects, but the habit that is missing is to lock the version number. A frozen version avoids the package manager's confusion about which to get.

So maybe it'd be a good idea to check around a little and see how many unfrozen dependencies you see floating around your teams.

Talk to you next week!


Ryan Latta