7. Analysis: An IT manager says: "We verify the vendor's digital signature on every update we install. This means we are protected against malicious updates." Evaluate this claim. Under what circumstances does code signing protect against malicious updates, and under what circumstances does it not?
Partially correct β but the claim overstates the protection. Code signing protects against: (1) in-transit tampering β if an attacker substitutes a package during download, the signature will be invalid and the package rejected; (2) distribution server compromise β if a package is replaced on the server after signing, the signature will be invalid. Code signing does NOT protect against: (1) build system compromise β if the attacker inserts malicious code before signing, the code is compiled and signed alongside legitimate code; the signature is valid and verification passes (SolarWinds SUNBURST); (2) signing key compromise β if the vendor's private key is stolen, the attacker can sign any package. The correct conclusion: code signing is necessary but not sufficient. Combine it with behavioral monitoring, SBOM, and vendor security assessments.
8. Evaluation: A development team argues that their project is not vulnerable to dependency confusion because "we use a private registry for all our packages." Evaluate this claim. Is a private registry alone sufficient protection against dependency confusion?
Not necessarily sufficient β it depends on package manager configuration. Using a private registry is the right approach, but many package manager defaults check both public and private registries simultaneously and prefer the highest version number regardless of source. In this configuration, an attacker who publishes a package with the same name at a higher version number still wins the resolution, even if a private registry exists.
True protection requires: (1) scope internal package names exclusively to the private registry so they are never resolved from public sources; (2) use namespace prefixes (e.g. @company/package-name) that cannot be claimed on public registries; (3) pre-register internal package names on public registries with benign placeholder packages. A private registry that is not exclusively scoped is a partial defense β useful, but not sufficient on its own.