add feedback, thanks ryan and lance

_posts/2025-06-07-package-managers.md

@@ -1,6 +1,6 @@
 ---
 layout: post
-title: Package Managers - How To Install Malware On Your Systems
+title: Package managers - malware delivery as a service
 date: 2025-04-02
 ---
 
@@ -56,9 +56,9 @@ run installation lifecycle scripts, which run under user permissons. Many attack
 rely on this, and simply run arbitrary code on the user's machine when they
 install a given package. Unfortunately because privilege escalation attacks are
 often fairly simple to do, the risk is exacerbated. The other common way that
-packages can compromise a target if by modifiying the flow of regularly invoked
+packages can compromise a target is by modifiying the flow of regularly invoked
 functions to perform additional actions or entirely change the expected
-behavior of software. Typing "npm malware" or "pypi suppl chain attack" will
+behavior of software. Typing "npm malware" or "pypi supply chain attack" will
 yield seemingly endless results but here are some "fun" highlights just from
 this year so far:
 
@@ -78,9 +78,10 @@ actors. In fact, in some cases attackers will purchase a library or use an
 expired domain to take over a library that is already widely used, to attack
 its unexpecting users, as was the case in the [attack via the `event-stream`
 package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble) in 2018, but many similar attacks have occured
-since ([ref 1](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble). Our co-founder and security engineer Lance
-Vick performed an attack to illustrate how easy it can be to compromise a library
-by [purchasing a domain which allowed him to control the `foreach` npm package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble).
+since ([ref 1](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble)). Our co-founder and security engineer Lance
+Vick showed that an attack could be performed to illustrate how easy it can be
+to compromise a library by [purchasing a domain which could allow control the
+`foreach` npm package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble).
 
 ## Review All The Code...
 
@@ -94,8 +95,9 @@ own and in every supply-chain dependency. Only once this exhaustive review is
 complete can we meaningfully claim the software is reasonably secure. Today’s
 typical 1–2-week audit windows, however, fall dramatically short of the time
 required to manually vet millions of lines of code, exposing a fundamental gap
-in our security assurance process. If an organization chooses to just use SAST,
-it should not be surprised when it gets compromised by a supply chain attack.
+in our security assurance process. If an organization chooses to only use SAST
+and monitoring solutions, it should not be surprised when it gets compromised
+by a supply chain attack.
 
 ## Summary
 
@@ -109,10 +111,11 @@ given a long enough time horizon.
 
 * SAST is a feel good measure that is not sufficient for ensuring code security.
 
-* If it can be done with the standard language library avoid adding dependencies.
+* If it can be done with the standard language library, avoid adding
+dependencies.
 
 * Evaluate cost of using third party libraries based on how much it costs to
-review them rather than assigning them cost of $0 as they are free to use.
+review them rather than assigning them cost of $0 as though they are free to use.
 
 * Consider donating to maintainers of your most important third party
 dependencies, both for development, and to pay for security assessments.