Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
How does your company manage open-source dependencies?
3 points by ddadon10 on Oct 25, 2022 | hide | past | favorite | 1 comment
I am reading more and more about software supply chain security[1][2] and wondering how companies are managing open-source dependencies, especially big corp.

Eg:

- Can you just install any dependency without an audit?

- Does the top management takes those issues seriously?

- Do you have some horror stories to share? (outside Log4j of course)

Would love to have some insight on that, and the company size (number of employees etc)

[1]: https://slsa.dev/

[2]: https://securityscorecards.dev/



2 engineers at a 4 person startup; we have a list of licenses, the lawyers and auditors told us which licenses are allowed but then we rely on the community to police itself for vulnerabilities.

I would find myself frustrated by any process involving a security team review; the savings are enormous and the scary parts of this problem haven't manifested nearly enough to justify the additional overhead involved.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: