It is "vital to establish a strong chain of custody that stretches from the developer through to the production instance. It must be impossible for an unauthorized party to sneak code into your system." Concrete rules: - **Version control everything** — there's no excuse not to. But version control handles *only* code, not third-party libraries. - **Use a private dependency repository.** Downloading dependencies from the Internet is convenient but unsafe — a dependency can be "silently replaced, either through a man-in-the-middle attack or by compromising the upstream repository." Move to a private repo and only admit a library when its **digital signature matches** the upstream provider's published value. Don't forget build-system plugins: Nygard cites an attack introduced via a *compromised Jenkins plugin* aimed at one of the victim's enterprise customers. - **Never do production builds from developer machines.** "Developer boxes are hopelessly polluted" — games, sketchy sites, slimy browser toolbars. Build production artifacts only on a **CI server**, and have it write the binary into a safe repository nobody else can write to. The same tagged binary that passed the pipeline is what gets laid down on every machine. The supply chain — dependencies, plugins, build environment — is part of your attack surface, and securing it is a design responsibility, not an afterthought. --- *Source: [[Release It Second Edition]] (Michael T. Nygard, Pragmatic Bookshelf 2018) — Ch 8 — Processes on Machines*