The Security Podcast in Silicon Valley: Adopting a Security Mindset in Open Source Development

Socket CEO Feross Aboukhadijeh recently joined host Jon McLachlan of YSecurity.io on The Security Podcast in Silicon Valley, a show that features security entrepreneurs and engineers exploring interesting problems in the industry.

They discussed some of the tech projects Feross worked on before founding Socket and how he became deeply involved in the open source community and passionate about securing massive dependency trees.

Decoding the Security Mindset

This episode captures the essence of what it means to have a security mindset — fueled by the drive to continually uncover the differences between expectation and reality. This practice is an art that movies like the Matrix illustrate in a compelling way.

“Security is a mindset,” Feross said. “Most security people have this devious mind where they always want to figure out how to break things. You see a set of rules and you think, not that I necessarily want to go and exploit these, but what are the exploits there. You just see them because your mind works that way.

“There’s the written rules and the unwritten rules. The written rules are what everybody thinks are the rules of the system, and everybody hopes that those are the rules that are governing things. There’s usually a separate set of rules.

“In the case of computers, you can think of it like the specs are the written rules and the actual code is the unwritten roles, so the code is the actual source of truth for what you’re going to be able to do with the system. But everybody is operating in this realm of ‘here’s how it’s supposed to work,’ but actually if you go look at the unwritten rules, go look at the code, and you find it different, then that’s an exploit or hack.

“Spotting that is what it means to have a security mindset.”

Bringing a Security Mindset to Socket’s Architecture

Feross explained how this mindset of questioning the norm and challenging perceived realities has translated into how Socket’s architecture was designed to apply a critical lens to every dependency that passes through a developer’s workflow.

Within a minute of packages being published to public registries, Socket applies its heuristics using static analysis and employs LLM’s to fully analyze the source code and detect behaviors that are outside the norm. If it’s high enough confidence that the detection is malicious, it gets blocked right away. Flagging malicious packages within minutes of publishing is the fastest possible way to identify attacks and prevent them from affecting developers’ repositories.

This episode also discusses the value of building a developer-first product. Modern development often requires wrangling thousands of dependencies, and developers need tools that secure fast-moving projects from supply chain attacks. Feross described how Socket maintains a tight feedback loop between customer experience and the product.

The malware getting deployed today is far more damaging than most of the vulnerabilities out there, which traditional scanning tools focus on to the exclusion of supply chain attacks. This short 37-minute conversation explores how Socket is working to solve security problems for our users in support of the open source community.

Check out the episode on The Security Podcast in Silicon Valley website or listen to it on Spotify.