Dear mr tech start-up: You've got 7 layers of docker containers that got snatched from some repository, thousands of NPM packages fetching themselves from repositories sketchier than warez sites outta the mid 00s, latest greatest kubernetes, virtualization and paravirtualization, compilation, obfuscation and transpilation, everything is run on someone else's computer running software you can't inspect, and all your traffic is encrypted by default so you can't inspect it, and most of it goes through CDNs so you can't tell where it's going, and you do HTTP2 with all its multiplexing capabilities. So how would you know if some of that code was maybe doing something more than it says on the box?
3 years ago 路 馃憤 warpengineer, defunct, lykso, know, sawv
@lykso When this blows up somehow, I have zero doubt that it is just a question of when we discover the ghost of BonziBuddy hiding somewhere in the ecosystem, everyone will pointing be fingers at everyone else. After all, it's all they can do given the current mentality of "it's fine because everyone is doing it". 路 3 years ago
I think there's a significant reliance on working the legal system to shield such companies from liability when their house of cards inevitably collapses on its users. 路 3 years ago
@nristen Yeah I've seen those types of solutions too, may help a bit but still feels like it doesn't come even close to mitigating the risk. The attack surface is absolutely enormous, and all it takes is one broken link for the chain to snap. The entire ecosystem feels extremely sketchy from a security standpoint. Probably recklessness rather than malice that has made it end up that way, but that hardly matters. 路 3 years ago
It can easily be a nightmare. At work we use a products that scan docker repositories for vulnerabilities in order to hopefully catch problems before someone at the company tries to use a container. 路 3 years ago
you just install istio 馃槀 路 3 years ago