Why HeroDevs Is Not Affected by the Polyfill.io Supply Chain Attack
Understanding HeroDevs' Immunity to the Polyfill.io Supply Chain Attack
Understanding the Threat
In a recent incident, over 100,000 websites that relied on the polyfill.io CDN were compromised. The attack involved malicious JavaScript being served from polyfill.io which would redirect mobile users to scam sites. While Cloudflare and Google have put measures in place to rewrite URLs and disable adds on malicious sites, this breach highlights the vulnerabilities in unmaintained open source and third-party services and the need for robust security practices.
Herodevs' Robust Security Measures
At HeroDevs, we provide security and continuity for open-source software. Here’s why our customers can rest easy:
- Independent Infrastructure: We host our own source code and do not rely on third-party CDNs like polyfill.io, minimizing the risk of such attacks.
- External Audits: HeroDevs uses independent security firms to conduct penetration testing for our software registry and delivery mechanisms.
- Internal Audits: Our team follows secure software development lifestyle practices with code signing, least access principle permissions, review enforcement, two-factor access, and other industry best practices to ensuring our software remains secure and up-to-date.
- Security as a Differentiator: HeroDevs leverages our own team’s extensive expertise in software security, as well as industry-leading SBOM and static-analysis tools to find and fix vulnerabilities before they are public.
- Ecosystem Sustainability: HeroDevs partners with open source software communities to provide ecosystem sustainability. When open source communities partner with HeroDevs, they ensure their users have a reliable source for software packages. When clients use HeroDevs, they can ensure that their software dependencies aren’t at risk of future website or source repository ownership changes.
Commitment to Secure Open Source Software
The polyfill.io incident serves as a reminder of the importance of vigilance in software supply chains, particularly with open source software. At HeroDevs we are committed to secure software development practices and to enable our clients to never run unsupported open source software again.