Typosquatting RubyGems laced with Bitcoin-nabbing malware have been downloaded thousands of times A researcher has uncovered malicious packages in the RubyGems repository, one of which was downloaded more than 2,000 times. RubyGems, the standard package manager for Ruby, was studied by threat analyst Tomislav Maljic at ReversingLabs, who highlighted research based on analysing packages submitted to the repository that have …
Do NOT allow outsiders to update your code without first having a sitdown about the associated risks. We don't run any old rpm/apt, we have teams that manage distributions for that. There is no equivalent for gems, eggs, and the like. Which means that you MUST run your own equivalent process.
It also implies that you are running your own "mirror", and that your build system never sees anything except what you allow through it.
Not cheap, but the only way to be secure--at this level of the process. Much more do to at other levels.
The essential problem is that software development is entirely unregulated. Anyone can call themselves a software engineer and they legally become one.
What you get is people with accountancy degrees, art history, etc deciding that they've studied the wrong thing, and they see software development as a possibly lucrative second career option. This is wrong. They have no formal training (everything from binary or logic gates through OO & functional, on to CI/CD and devops) and they simply learn by doing. They've no proper understanding of encryption and not the first clue about computer security.
Why on earth would the doctors who specify what a pacemaker must do and what it is to achieve, the engineers who design it, and the manufacturers who build it all require certification and licencing, and yet the guy that knocks the software up that runs the thing could have been working in McDonald's a week earlier.
Software development should be a restricted profession with minimum educational requirements, and unending professional re-certification and training. Yes, that would make those of us that know what we're doing and why more expensive to hire, however the quality of products would soar. It'd shake out all those people I've worked with that did a week long home study course on javascript before getting their first role in some startup and learning on the job from there.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
