Security
Jul 3, 2024

Why HeroDevs Is Not Affected by the Polyfill.io Supply Chain Attack

Understanding HeroDevs' Immunity to the Polyfill.io Supply Chain Attack
Why HeroDevs Is Not Affected by the Polyfill.io Supply Chain Attack

Understanding the Threat

In a recent incident, over 100,000 websites that relied on the polyfill.io CDN were compromised. The attack involved malicious JavaScript being served from polyfill.io which would redirect mobile users to scam sites. While Cloudflare and Google have put measures in place to rewrite URLs and disable adds on malicious sites, this breach highlights the vulnerabilities in unmaintained open source and third-party services and the need for robust security practices.  

Herodevs' Robust Security Measures

At HeroDevs, we provide security and continuity for open-source software. Here’s why our customers can rest easy:

  1. Independent Infrastructure: We host our own source code and do not rely on third-party CDNs like polyfill.io, minimizing the risk of such attacks.
  2. External Audits: HeroDevs uses independent security firms to conduct penetration testing for our software registry and delivery mechanisms.
  3. Internal Audits: Our team follows secure software development lifestyle practices with code signing, least access principle permissions, review enforcement, two-factor access, and other industry best practices to ensuring our software remains secure and up-to-date.
  4. Security as a Differentiator: HeroDevs leverages our own team’s extensive expertise in software security, as well as industry-leading SBOM and static-analysis tools to find and fix vulnerabilities before they are public.
  5. Ecosystem Sustainability: HeroDevs partners with open source software communities to provide ecosystem sustainability.  When open source communities partner with HeroDevs, they ensure their users have a reliable source for software packages.  When clients use HeroDevs, they can ensure that their software dependencies aren’t at risk of future website or source repository ownership changes.

Commitment to Secure Open Source Software

The polyfill.io incident serves as a reminder of the importance of vigilance in software supply chains, particularly with open source software. At HeroDevs we are committed to secure software development practices and to enable our clients to never run unsupported open source software again.

. . .
Article Summary
Learn why HeroDevs is unaffected by the recent Polyfill.io supply chain attack. Discover our robust security measures, independent infrastructure, and commitment to secure open source software.
Author
Greg Allen
Chief Product Officer
Related Articles
HeroDevs Named Inaugural Partner for Drupal 7 Extended Security Support Provider Program
Ensuring Security and Compliance for Drupal 7 Beyond Its Official End-of-Life
HeroDevs Addresses Three CVEs in Unsupported Bootstrap
Addressing CVE-2024-6484, CVE-2024-6485, and CVE-2024-6531
HeroDevs Authorized as CVE Numbering Authority by the CVE Program
HeroDevs Achieves CVE Numbering Authority Status: Solidifying Commitment to Cybersecurity and Sustainability