Should we start shaming developers who don't use isolation?
The article discusses the importance of isolating development environments to prevent supply-chain attacks. It argues that developers should be held accountable for not implementing isolation measures, similar to the criticism faced by those using insecure coding practices. The author encourages both individual developers and companies to adopt better security practices, particularly regarding key management.
- ▪Supply-chain attacks are becoming increasingly common due to excessive dependencies in projects.
- ▪Isolating projects can significantly reduce the impact of infected dependencies.
- ▪Developers should be held accountable for not using isolation, similar to those who write insecure SQL queries.
Opening excerpt (first ~120 words) tap to expand
Should we start shaming developers who don't use isolation? May 24, 2026 3 minute readIntroIt seems we are seeing supply-chain attacks every other day now. There are two main reasons for this:Projects have too many dependencies. JS projects can easily reach 1000+ transitive dependencies.Projects usually run without any isolation from the rest of the developer’s computer, allowing any attack to easily propagate.Much has been written about the former. It may require the industry to adopt a different mindset, which is always hard. Instead, I want to talk about the latter, which mostly requires technological changes. By isolating projects from each other and from the host computer, you can drastically lower the “blast radius” of an infected dependency.There are various tools available for it.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Evert Heylen.
Discussion
0 commentsMore from Evert Heylen
