On the technical side of things, Shawn Smith – director of infrastructure at application security provider nVisium – posited that supply-chain attacks are a good argument against auto-updating dependencies, but “this also means that security teams have to monitor and manage them effectively and efficiently,” as he told Threatpost via email on Thursday.

“Any updates to dependencies should be vetted prior to use, and systems should be using version-locked dependencies to prevent CI/CD systems from grabbing the latest updates by default,” he added. “At the same time, security teams should be monitoring to ensure that vulnerabilities are not tainting versions that are being used and advise developers and operations teams as issues arise.”

Read entire article here!