Update: Vulnerable Dependency Management Cheat Sheet with Dependency Confusion

[righettod]

What is missing or needs to be updated?

I have found this post about Dependency Confusion attack and I think that it can be interesting to add a section about protection against this attack in the Vulnerable Dependency Management Cheat Sheet.

How should this be resolved?

I propose to add a small section showing some protection that can applied.

Thanks a lot in advance and also thanks a lot for your amazing work on this project ❤️

[mackowski]

Hey @righettod good idea. Do you want to add it?

[jmanico]

Hello Dominique! This cheatsheet would definitely benefit from an update. We should probably discussing at least 2 different types of /Dependency Confusion/ attacks such as (1) Typosquatting and (2) Squatting on names of future package versions of packages that no longer exist.

We would be thrilled if you have time to add a section on this material! I also encourage your students to send us PR's when they see any mistakes!

Aloha, Jim

[jmanico]

I'm eager to see this work done

[righettod]

Hello @jmanico and @mackowski

Thanks a lot for the feedback about this proposal.

Unfortunately, i'm very busy on the MSTG and OSHP projects so it will not be possible for me to work on this task.

I apologize again a lot for my decline.

Thanks again for your work on this amazing project 💯

[nekosoft]

Hey @righettod @jmanico - I have some independent study time where I'll be focusing on dependency management in the next couple of weeks - I can pick this up (and of course if anybody else wants to collaborate/help!). I have a lot of resources that would be of use to this section.

[mackowski]

Awesome! @nekosoft I will assign this issue to you and feel free to create a PR for this! We will help, do not worry :)

[mackowski]

@nekosoft and you still interested to make a small PR?