Protecting applications from malicious or compromised software dependencies.
Building secure software, developers put a lot of effort defending against attacks from the outside. SQL injections, cross-site scripting, various DoS techniques,… it is a long list.
We also have to protect against attacks from inside. A simple
import or <script> of an external dependency is an open door to
the internals of your application. A malicious or comprimised
dependency is more than a potent theoretical
threat, successful attacks have been
documented in the
wild.
Despite the threats, it’s not practical to build without dependencies. We need some confidence that our dependencies are reliable. It should be a simple, automated verification, that we can rely upon every time we update our dependencies (because not updating threatens security too).
Hancock is a tool designed to solve this problem, through end-to-end authentication, the idea that confirming the authenticity of software should be independent from how it is fetched or installed.
At Beyond Central, we’re signing our own code with hancock. We’re
running an index, which allows hancock to quickly find signed
testimony that authenticates software dependencies. It’s free to use
for open source software projects.
Please reach out to learn more about hancock and get
started.