With the advent and ubiquity of the internet, businesses are increasingly relying on digitalization to survive and thrive in today’s business environment. But with the advantages brought by technological advancements, there are problems that these businesses need to contend with. Cybersecurity violation is a significant issue for companies, which can cause much damage. So, to address this problem, Socket launched its cybersecurity platform to help companies protect themselves against software supply chain attacks. These businesses use the cybersecurity platform to protect their software applications and critical services from malware and security threats originating in open-source code.
Also Read: 7 Reasons Why Resource Management is Important for Small Businesses
Founded by Feross Aboukhadijeh, the company was founded in 2021 with the vision to protect open-source ecosystems for companies. Its focus was on open-source software, which enables teams to build powerful applications in a shorter time. Moreover, anyone in the group can inspect and contribute to the code. Aboukhadijeh realized that as a generally trusting community, some attackers take advantage of this trust and openness to carry out brazen supply chain attacks. There has been unprecedented growth in the scale of open-source malware. Such is the rate of increase that concerns circulated about the continued usage of open-source software.
There are reasons why tried, and trusted approaches have not worked to protect open-source. The entire security industry has always been preoccupied with scanning for known vulnerabilities, a too-reactive approach to stop an active supply chain attack. Exposures can take weeks or months to be discovered.
In today’s culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even hours. This isn’t enough time for a CVE to be created and make its way into the vulnerability scanning tools that teams use.
Supply chain attacks and vulnerabilities are very different, and they need very different solutions:
⚠️ Vulnerabilities are accidentally introduced by an open-source maintainer. Sometimes, it is okay to ship a vulnerability to production if it is low impact.
⛔️ Supply chain attacks are intentionally introduced by an attacker. It is NEVER okay to send malware to show. You must catch it BEFORE you install it or depend on it.
Teams that want to address supply chain attacks currently have two options:
- Do a full audit –Read every line of code in all dependencies. Very few companies do this, but it is the gold standard for preventing supply chain attacks. It takes a full-time team to manage this process – the audits, the updates, the allowlist, and applying critical security patches. This approach is out of reach for all but the most prominent companies or the most security-critical applications. It’s lots of work, it’s slow, and it’s expensive.
- Do nothing –Cross your fingers and hope for the best. This is the option that most teams take. On most units, any developer can install any dependency to get the job done, and no one even looks at the code in these dependencies before approving the pull request. As you might expect, this approach leaves companies entirely vulnerable to supply chain attacks.
Neither approach is ideal.
Also Read: 10 Reasons Why Software Testing Is a Growing Career Field Today
While developing the Wormhole app (an end-to-end encrypted file transfer tool), the company experienced the challenges of selecting, managing, and updating open-source dependencies amidst a constant onslaught of supply chain attacks. This led to the need for a dire solution to the problem. And so, the company investigated what attackers actually do once they’ve compromised a package. Nearly every supply chain attack in the JavaScript ecosystem followed a familiar pattern. Once the attacker got control of a package, they added install scripts, network connections, shell commands, filesystem access, or obfuscated code. Others used social engineering, such as typo-squatting; this provided the right direction for a solution. The innovative solution assumes that all open-source packages may be malicious and work backward to proactively detect signs of compromised packages. The company sought the simplest way to mitigate this risk without hurting usability. And so, they set out to help developers safely use open source without sacrificing development speed. Over the following months, Socket came into existence with its popular open-source packages.
The company can detect the tell-tale signs of a supply chain attack by statically analyzing open-source packages and their dependencies. It then alerts developers when packages change in security-relevant ways, highlighting events such as the introduction of install scripts, obfuscated code, or usage of privileged APIs such as shell, network, filesystem, and environment variables. For instance, to detect if a package uses the network, Socket looks at whether fetch(), Node’s net, dgram, DNS, HTTP, or HTTPS modules are used within the package or any of its dependencies. If a new version of a package – especially a minor or patch version – adds code to communicate with the network, that’s a huge red flag. And so, the Package issues are detected.
The customer response to the company’s digital products and services has been stellar! The company has been protecting thousands of organizations and tens of thousands of repositories in two months since its launch.
The company’s customers consist of businesses that want to protect themselves from attacks. It takes just a few minutes to get protected from supply chain attacks by installing the company app.
Next Story: Kaaruka – A Fresh Clothing Brand for the Art Buffs!
Message to customers and viewers:
“Open-source libraries are more popular than ever before. With open-source code making up 80-90% of most codebases, it is critical to managing it effectively to reduce an organization’s security risk. Software supply chain attacks have exploded in the past year, and open-source components are increasingly used as vectors. Using third-party dependencies without proper vetting can lead to hacking, breaches, and various security issues. Socket detects supply chain attacks before disaster strikes, preventing security issues caused by open-source code in real time. Socket offers much more than basic vulnerability scanning. By integrating directly into the developer workflow, Socket prevents attacks you don’t expect – malware, hidden code, typo-squatting, and misleading packages. Socket helps developers take charge of the health of their dependencies by telling them what open source they are using, what it is doing (or could do), and which components are at the highest risk. By surfacing security information directly inline in GitHub and other source control systems, developers can avoid security issues before making it into production.”