niros_valtos on Hacker News

More specifically: 1. How do you know if the vulnerable package is called in a way that it can be exploited? For example, if the package has a critical vulnerability in a method "myFunc" but it is never called by your code, it won't be exploitable.

2. How do you know if it is safe to upgrade a package and it won't break changes? For example, if version 1.2.3 has "myFunc(p1,p2)" and it is called by your code, but the vulnerability was fixed in version 1.2.4, which has "myFunc(p1,p2,p3)".

3. What do you do if the vulnerable package is a sub-package of another package used by your code?

6niros_valtos3y ago2

14

Hold the pitchforks. What LastPass did right. (opens in new tab)

(arnica.io)

1niros_valtos3y ago0

15

GitHub Enterprise Cloud customers can access IP addresses for audit log entries (opens in new tab)

(github.blog)

1niros_valtos3y ago0

niros_valtos

Recent submissions

Opengrep – A Fork of Semgrep (opens in new tab)

Show HN: Semgrep rule to identify malicious Python code (opens in new tab)

Show HN: Semgrep Rule That Identifies GitHub Repo Confusion Attack IOCs (opens in new tab)

Cellular Outage Caused by Cyber Attack? Speculations on Social Media (opens in new tab)

The Guide to Building an Efficient CI/CD Pipeline (opens in new tab)

GitHub sends my hardcoded secrets to providers when Secret Scanning is disabled (opens in new tab)

Trying to identify spoofing in GitHub? May the 4th (or 5th) be with you (opens in new tab)

What Is Pippelineless Security? (opens in new tab)

Show HN: GitGoat v2 is released – fake commits with real vulnerable code (opens in new tab)

GitHub finally introduced fine-grained personal access tokens (opens in new tab)

Hardening software development environments 101 (opens in new tab)

NSA's software supply chain security recommendations need some refinement (opens in new tab)

Ask HN: How do you prioritize the update of vulnerable 3rd party packages?

Hold the pitchforks. What LastPass did right. (opens in new tab)

GitHub Enterprise Cloud customers can access IP addresses for audit log entries (opens in new tab)

Recent submissions

Opengrep – A Fork of Semgrep (opens in new tab)

Show HN: Semgrep rule to identify malicious Python code (opens in new tab)

Show HN: Semgrep Rule That Identifies GitHub Repo Confusion Attack IOCs (opens in new tab)

Cellular Outage Caused by Cyber Attack? Speculations on Social Media (opens in new tab)

The Guide to Building an Efficient CI/CD Pipeline (opens in new tab)

GitHub sends my hardcoded secrets to providers when Secret Scanning is disabled (opens in new tab)

Trying to identify spoofing in GitHub? May the 4th (or 5th) be with you (opens in new tab)

What Is Pippelineless Security? (opens in new tab)

Show HN: GitGoat v2 is released – fake commits with real vulnerable code (opens in new tab)

GitHub finally introduced fine-grained personal access tokens (opens in new tab)

Hardening software development environments 101 (opens in new tab)

NSA's software supply chain security recommendations need some refinement (opens in new tab)

Ask HN: How do you prioritize the update of vulnerable 3rd party packages?

Hold the pitchforks. What LastPass did right. (opens in new tab)

GitHub Enterprise Cloud customers can access IP addresses for audit log entries (opens in new tab)