Defend your supply chain with automatic quarantine of threats
If you’ve ever installed npm packages to JavaScript projects you doubtlessly have seen the status messages with a list of known vulnerabilities in the terminal output.
With npm, yarn or pnpm providing basic vulnerability information directly from their respective clients, it’s hard to ignore how frequent vulnerabilities have become. A great service and security measure for the millions of daily users that rely on these tools for their projects.
...
added 57 packages and audited 3 packages in 107 s
2 critical severity vulnerabilities
...
But what if you want to block threats before they even enter your supply chain? Maybe you prefer getting automatic notifications with critical issues instead of checking manually? Or, would like to avoid potential security risks that may be critical for certain environments?
And what happens when it’s no longer a developer installing dependencies, but rather an automated environment? A key component of modern security tooling is to make sure threats are actively blocked, and you are notified of issues, even if no human is actively monitoring it.
Whenever a critical vulnerability is detected you may want to take immediate actions. Making sure your teams, environments and business are protected - and your software supply chain can remain secure.
Go ahead to learn how to automatically quarantine unwanted packages from entering your supply chain!
Quarantine in short
Quarantine allows you to automatically block the use of specific packages that surpass security threshold levels, for example packages with serious identified vulnerabilities. While simultaneously highlighting the issue for your teams to address instead of blocking (and hiding) them outright.
This means that Bytesafe gives you a powerful tool to control allowed packages for all developers & systems, all while being very easy to use.
Why use automatic quarantine of problematic packages?
Secure use of open source software is a necessity for modern organizations with cyber attacks becoming more and more of a common occurrence. And it’s more than just an IT problem, with consequences that can potentially impact the whole organization.
At the same time every development team is required to balance productivity with security needs. So security solutions need to protect you while still allowing you to be productive.
Modern security problems require modern tooling. Efficient tooling that highlights potential issues while working within your regular workflow. Tooling like Bytesafe that continuously monitors your packages for issues and helps you stay secure.
Benefits of automatic quarantine of vulnerable packages:
-
Prevent malicious threats with a firewall for your supply chain. Quarantine packages according to your security thresholds. Automatically block the use of known vulnerable packages - while still securely holding the vulnerable version inside your Bytesafe workspace for you to address.
-
Highlight security issues for remediation. Quarantine offers significant advantages to simply blocking packages outright. When a package is held securely within Bytesafe an issue will be created that notifies you of the problem. Allowing your team to easily and quickly remediate any issue and proceed with building awesome applications.
-
Avoid getting overwhelmed with issues - configure your thresholds & rules. Reducing noise to a manageable level is critical for any team. Otherwise notifications of security issues will simply get ignored. With Bytesafe you can customize at what severity level you want packages to be quarantined. You can also decide to avoid quarantine for issues without patch versions solutions available - all to allow you to work efficiently with your supply chain security.
All areas of the development life cycle (test, builds, deploys etc) are increasingly being automated with minimum human interaction. Make sure to keep up and manage open source dependencies securely with the appropriate level of detection and protection from vulnerabilities.
Configurable security thresholds according to your business needs
The Vulnerability and License scanners allow you to define when you want to pull the handbrake and immediately throw a package in quarantine.
Vulnerable open source packages will be blocked from being used in your supply chain. Effectively using Bytesafe as a firewall, with quarantined packaged being restricted from use.
The plugin settings contain additional configuration for when you want a package to be quarantined. When the quarantine feature has been enabled, the default threshold is set to High. This means that packages with a severity level higher or equal to High will be placed in quarantine.
You can also configure to only quarantine packages if they have new patch versions available. Ideal for situations where you would prefer to be notified and not break builds, if there is no quick solution available.
Release a package from quarantine
In situations where you have evaluated the risks with a quarantined package and made an assessment to approve the use package you can easily release packages.
Releasing from the quarantine area means the package version will be flagged as safe to use. The package will be accessible from Bytesafe by all developers and environments.
The activity log of any issues related to this package will also show that the package has been released from the quarantine.
Your code is your business - control your software supply chain
Secure your supply chain, both today and in the future. Get started by enhancing your security with Bytesafe Dependency Firewall today!
Stay up to date with other security related posts. Knowing about potential issues is key to keeping your supply chain secure.
-
The secure by default solution for dependency confusion
-
How issue tracking across your registries helps you get focus on what needs your attention.
