What does HackerNews think of santa?

Not directly relevant but interesting...

https://github.com/google/santa

This is a product developed by Google that has at least been utilized internally to some extent. It's not perfect, but my previous company used it and it does prevent unexpected unknown code from running in the background.

What it does not do is prevent someone from intentionally downloading and executing a library unless the upvoter actually comes to some demand that you do so. I found that it quickly became a bit of a "alert fatigue" where you approve things your coworkers send you so they can get back to work without properly vetting.

This isn't what you asked for, but one of the systems that Google uses internally has system to report the hash of every executable launched and block executables it isn't aware of.

A binary authorization system for macOS https://github.com/google/santa

> Infostealers for Mac are a thing (Uber is a mac heavy shop I hear)

Block unknown executables on company machines. Google developed Santa to protect themselves: https://github.com/google/santa

> and that's all it takes to steal cookies and tokens post-mfa,

Make post-MFA cookies and tokens short-lived. Require MFA re-authentication at least daily.

> or why even bother with that, if you're running code just make it a reverse shell.

All outbound connections should be strictly monitored, especially from production servers, which should have no ability to connect to the Internet at all. With modern dependency management, that's harder for build servers, but still doable.

Santa is open-source: https://github.com/google/santa

https://github.com/google/santa is used to whitelist binaries on Macs, but you can fill out a form to instantly opt out. One of the options for why is "I use a package manager".

In practise it's much easier to just trust well-known developers by whitelisting their code-signing certificates.

You could still get owned, of course, but the benefit here is that you're excluding everything not explicitly whitelisted, including drive-by downloads, crap on portable devices or random programs downloaded off the internet that someone thinks will solve their problem of the day.

When people do not code-sign their software every software update is painful. At work, where we run https://github.com/google/santa, it frequently happens that companies with code-signed software forget to code-sign their auto-updater, or random binaries that run during installation. Most of the time the application crashes/hang during the update (because some piece weren't allowed to run), only to remind to you update the software again when you restart the application.

This could have been prevented by hosting downloads on a reputable site(Github), instead of developer's own PHP backend.

Software like https://github.com/google/santa can help, especially if you're doing IT in a large enterprise.

The feed used by the software's autoupdate framework(sparkle) was signed, so that would've prevented bad downloads through autoupdate.

https://github.com/google/santa seems like it takes this approach. Gives an enterprise the ability to decide which signed certs it wants to trust and then block everything else unless it gets vetted.