Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

Risky Biz Podcast: How Shifts in Open Source Made It a Prime Attack Vector

This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.

Risky Biz Podcast: How Shifts in Open Source Made It a Prime Attack Vector

Sarah Gooding

May 1, 2024


In this episode of the Risky Business podcast, host Tom Uren chats with Socket founder and CEO Feross Aboukhadijeh. They delve into the vulnerabilities of open source software through the lens of notorious supply chain attacks like XZ-utils and Event-Stream. Feross shares how previous incidents inspired the creation of Socket, which detects and prevents such attacks by closely monitoring changes in software packages.

Ideally, developers should scrutinize every line of code they use, but that's simply not realistic. Threat actors are counting on this and some put in more effort to launch sophisticated attacks that get past static analysis. This is why Socket leverages LLMs for further analysis, to pick up on signals that are more difficult for humans to catch at scale.

With 90% of the code in most apps being open source, the volume of code that isn’t reviewed has significantly increased the risk for supply chain attacks. The episode explores how the rise of small, hyper-specific open source packages and a shift towards individual maintainers have created a wider attack surface.

Shifts in Open Source Development #

The discussion touches on how open source development practices have contributed to these vulnerabilities in the ecosystem:

  • Rise of small packages: The trend of creating many small, single-function packages increased dependency trees, making it harder to track vulnerabilities.
  • Zero-cost dependency mentality: Package managers like npm solved dependency hell by allowing easy addition of dependencies, potentially introduces security risks as developers spend less time vetting their packages.
  • Shift in governance: Previously, large, trusted organizations maintained core dependencies. Now, individual maintainers often manage numerous smaller packages, creating a wider attack surface.

Check out the episode below:

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc