The Pair Program Podcast: Feross Aboukhadijeh on Preserving Trust in Open Source
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.
Sarah Gooding
March 10, 2025
Socekt CEO Feross Aboukhadijeh recently joined Tim Winkler on the The Pair Program miniseries "How We Hatched" to talk about his journey from open source maintainer to building Socket and tackling software supply chain security. It’s an episode packed with insights on the open web, open source, and what it means to protect the code that powers modern software.
In this episode, Feross shared that it was the democratic promise of the open web that initially drew him to becoming a developer.
"There's something about the web—where anyone can build something and put it online—that's just magical. My website sat right there next to Google in a browser. There were no barriers to entry."
That ability to put anything on the web to be discovered sparked his passion for building technology that could reach the entire world. This led to a deep involvement with maintaining open source software and firsthand knowledge of the security challenges developers are facing today:
Open source code is is is 90% of the lines of code in in modern applications and you have developers not really reviewing that code because it's too much code, and the whole point of using open source is that you're not an expert in that area. So you're grabbing a package or a dependency to sort of make that problem go away for you. There's no visibility into what's in there and people are just grabbing code that they find online and then you have the tooling isn't really up up for the the task of proactively and preventively looking for problems in that in that open source code so you end up with this perfect storm where we started seeing a ton of malware and financially motivated attacks that all the traditional scanning tools in the space were not able to detect.
This lack of visibility into dependencies, along with a desire to preserve trust in open source, is what ultimately inspired Socket’s mission and led Feross to focus on solving supply chain security challenges:
I love open source so I don't want it to be affected by this trust issue I think if people can't trust open source because there's all these attacks happening constantly then they're going to use less open source which is gonna mean that we go back to the bad ole days when everybody wrote everything custom for their own company and you know we we lose a lot of the benefits of building on top of this shared foundation and being able to move fast as an industry.
Check out the full conversation to hear more about the evolution of supply chain attacks, lessons from Feross's earlier ventures, and his vision for securing the open source ecosystem.
[Music]
Host: Thank you for joining us on The Pair Program. This is another bonus episode of our miniseries, How We Hatch. Today, we’ve got Feross Aboukhadijeh—DJ. Feross is the CEO and co-founder of Socket, a developer security platform aimed at protecting companies from software supply chain attacks. Many of our listeners in the open-source community will recognize Feross as one of the original authors and maintainers of WebTorrent. Feross, I’m excited to have you with us today. Thanks for joining us on the pod!
Feross: Yeah, great to be here, Tim.
Host: Good stuff. All right, let’s jump in. I always like to start these episodes with a fun, thought-provoking question: What did Feross have for breakfast this morning?
Feross: That’s funny—my mom came over yesterday and made some food, so I had her leftovers for breakfast.
Host: Solid! And where are you calling in from today?
Feross: I’m in San Francisco, in the Mission District.
Host: Very cool. Now, in true How We Hatch fashion, before we get into the tech behind Socket, I’d love to learn more about your journey as an entrepreneur. Can you tell me a little about your background and what led you down the path of software engineering?
Feross: Yeah, absolutely. If we go way back, I’ve always been interested in computers and technical things. My mom likes to tell a story about how, when I was a year old, I would watch adults put VHS tapes into the VCR, and I’d try to copy them by putting my toy blocks into the VCR. It was always jammed full of blocks!
Later on, in middle school, I got into making websites. I started learning HTML and basic web development. By high school, I wanted to build a website to collect all my favorite online games and Flash animations. Flash, for those who don’t remember, was how people made web animations before YouTube. That project led me to learning actual programming, and I was hooked.
Studying computer science in college was a natural choice. I went to Stanford, where startups were a big focus. It wasn’t necessarily common, but it wasn’t crazy either—it was always in the back of my mind that I’d one day start a company.
Host: That makes sense. Sounds like you had a knack for tinkering and loved the open web. So, software development was almost a given for you. Where did you go to school, and how did you decide what to study?
Feross: Yeah, like I mentioned, I went to Stanford. It’s in the Bay Area, and there’s a strong startup culture. During college, I got really into attending and organizing hackathons. I loved the challenge of building something surprising—something that made people go, Wow, I didn’t know that was possible!
Looking back, that fascination is similar to what a good hacker or security researcher does. They look at the rules of a system and then find where the actual behavior differs from expectations. Some of the projects I worked on had a security angle, like one where I found a way to turn on a user’s webcam via a bug in Adobe Flash. That got reported and patched, thankfully!
Host: Yeah, that’s both fascinating and terrifying! Let’s talk about your shift from big tech internships to startups. You interned at Meta and Quora but then founded your first company, PeerCDN. What drove you to take that leap instead of going down the big tech path?
Feross: I think a lot of it came from growing up with an immigrant parent—my dad came to the U.S. for college, which gave me that entrepreneurial hustle mentality. Also, at Stanford, it wasn’t unusual to start a company. It felt possible.
You don’t need to be super prepared to try entrepreneurship. You learn by doing. PeerCDN was our first company, and it didn’t ultimately work out, but I learned way more by building it than I would have by just reading books. The idea was to create a peer-to-peer content delivery network—kind of like how Uber became the biggest taxi company without owning cars, we wanted to be a CDN without owning servers.
It turned out peer-to-peer had too many challenges in a production environment, but we learned a ton. One key lesson: talk to customers before building too much. We got acquired by Yahoo after about eight months, which was a great learning experience.
Host: Yeah, I imagine that must have been a confidence boost, seeing a startup go through the acquisition process so early in your career. But you only stayed at Yahoo for a year. What led you to focus on open source?
Feross: Honestly, working at a big company showed me the downsides of corporate life. Yahoo acquired our tech but didn’t really use it. That made me want to work on something that couldn’t just be bought and shelved—something that would be useful to the world indefinitely. That’s when I started WebTorrent.
I loved open source because it felt like digital philanthropy. You put something out there, and people can use it, remix it, and integrate it into other projects. The JavaScript and Node.js communities were also thriving at the time—2013 to 2016 was an incredible period for open source.
Host: Yeah, that era was special. But open source isn't always financially rewarding. How did you sustain yourself during that time?
Feross: I lived frugally. Open source isn’t something you get into to make money—unless you plan to commercialize it from the start, which I didn’t. Some companies, like Brave, paid me for consulting work since they used WebTorrent in their browser. That was one way to make open source work financially.
But in general, funding open source is hard. That’s why I got interested in new funding models—how do we make it possible for someone to grow up wanting to be an open-source maintainer as a real career?
Host: That’s an ongoing challenge. Let’s transition to Socket. What made you focus on software supply chain security?
Feross: Seeing how open source exploded in usage made me realize the risks. Apps went from 20 dependencies to thousands. Developers don’t review most of the code they import because they rely on trust. At the same time, legacy security tools weren’t catching modern supply chain attacks.
One of the most alarming cases was the XZ backdoor in 2024, where an attacker spent years social-engineering their way into a critical Linux package. That attack, if successful, could have compromised every server running SSH. It was a wake-up call that we need better proactive security tools.
Host: Absolutely. So, give us the quick pitch—what does Socket do?
Feross: Socket is a developer-first security platform that helps companies protect against supply chain attacks. We deeply analyze open-source code to detect malicious behavior in real-time, preventing threats before they cause damage.
Host: Love it. And you’re fully remote, right?
Feross: Yeah, we started during the pandemic and have hired amazing people worldwide. We’re 35 employees, have raised $65M across three funding rounds, and are growing fast.
Host: That’s incredible. All right, let’s wrap with a lightning round! Quick answers only—what’s your morning routine?
Feross: Green tea every morning since returning from Japan. Way smoother than coffee.
Host: Favorite Disney character?
Feross: Aladdin.
Host: Dream job as a kid?
Feross: Founding a company—so I guess I made it!
Host: Love it! Feross, thanks for hanging out with us on the pod.
Feross: Thanks for having me. This was really fun!
[Music]
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Ready to block malicious and vulnerable dependencies?
Opengrep continues building momentum with the alpha release of its Playground tool, demonstrating the project's rapid evolution just two months after its initial launch.
