undefined | Better HN

0 pointsrichbell3y ago0 comments

> So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them?

I could talk at length about this; unfortunately, I'm on my phone with a shotty connection.

The tl;dr is that companies like Snyk make money by requiring companies to pay to check for vulnerabilities once they've been downloaded. There's not necessarily anything wrong with that, but a philanthropic company could make things significantly safer for everyone if they weren't concerned about making money. Initiatives like the OSSF will hopefully have a positive impact, for this reason.

0 comments

slt20213y ago

You need money to staff people with security knowledge that constantly keeps product up to date with latest malicious signatures in all codebases.

This is why only commercial company can build a great product. The constant cat and mouse game between threat actors and defenders/researchers. Every new malware/trojan/cryptominer strain needs to be found, identified, signature written, and all clients need tk get latest signatures asap, and product has to work flawlessly with as few false positives as possible

richbellOP3y ago

> You need money to staff people with security knowledge that constantly keeps product up to date with latest malicious signatures in all codebases.

Of course; it's just funny to think about how much money gets spent detecting and fixing things downstream instead of fixing it at the source.

j / k navigate · click thread line to collapse