February 6, 2024
Socket CEO Feross Aboukhadijeh was recently a guest on the CyberBytes podcast with host Steffan Foley where they discussed open source software and common mistakes companies make when it comes to supply chain security.
Feross highlighted the pressure developers face to ship features rapidly, often without full awareness of the open source code they are utilizing. Security teams don’t want to impede developers moving fast but at the same time are struggling with the challenge of securing massive dependency trees, which are frequently comprised of thousands and thousands of dependencies — source code that almost nobody reads.
The inspiration for Socket came from Feross’ experience creating the Wormhole app with more than 1,000 dependencies. He interviewed more than 40 CISO’s about how they vet their open source dependencies for supply chain attacks and found that most were still tethered to traditional SCA tools that only catch known vulnerabilities. It’s for this reason Socket was designed to drill down into the code of each dependency and analyze it for malicious behavior.
This podcast episode explores the hacker mindset and the complex problem of protecting against threat actors who are naturally inclined to poke at systems. Open source security is currently experiencing a major platform shift towards a more proactive approach, as companies can no longer afford to be obsessed with vulnerabilities to the exclusion of supply chain attacks.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.
Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.