software dependency authentication

Protecting applications from malicious or compromised software dependencies.

Building secure software, developers put a lot of effort defending against attacks from the outside. SQL injections, cross-site scripting, various DoS techniques,… it is a long list.

We also have to protect against attacks from inside. A simple import or <script> of an external dependency is an open door to the internals of your application. A malicious or comprimised dependency is more than a potent theoretical threat, successful attacks have been documented in the wild.

Despite the threats, it’s not practical to build without dependencies. We need some confidence that our dependencies are reliable. It should be a simple, automated verification, that we can rely upon every time we update our dependencies (because not updating threatens security too).

Hancock is a tool designed to solve this problem, through end-to-end authentication, the idea that confirming the authenticity of software should be independent from how it is fetched or installed.

At Beyond Central, we’re signing our own code with hancock. We’re running an index, which allows hancock to quickly find signed testimony that authenticates software dependencies. It’s free to use for open source software projects.

Please reach out to learn more about hancock and get started.