Risky Biz Podcast: How Shifts in Open Source Made It a Prime Attack Vector

In this episode of the Risky Business podcast, host Tom Uren chats with Socket founder and CEO Feross Aboukhadijeh. They delve into the vulnerabilities of open source software through the lens of notorious supply chain attacks like XZ-utils and Event-Stream. Feross shares how previous incidents inspired the creation of Socket, which detects and prevents such attacks by closely monitoring changes in software packages.

Ideally, developers should scrutinize every line of code they use, but that's simply not realistic. Threat actors are counting on this and some put in more effort to launch sophisticated attacks that get past static analysis. This is why Socket leverages LLMs for further analysis, to pick up on signals that are more difficult for humans to catch at scale.

With 90% of the code in most apps being open source, the volume of code that isn’t reviewed has significantly increased the risk for supply chain attacks. The episode explores how the rise of small, hyper-specific open source packages and a shift towards individual maintainers have created a wider attack surface.

Shifts in Open Source Development #

The discussion touches on how open source development practices have contributed to these vulnerabilities in the ecosystem:

• Rise of small packages: The trend of creating many small, single-function packages increased dependency trees, making it harder to track vulnerabilities.
• Zero-cost dependency mentality: Package managers like npm solved dependency hell by allowing easy addition of dependencies, potentially introduces security risks as developers spend less time vetting their packages.
• Shift in governance: Previously, large, trusted organizations maintained core dependencies. Now, individual maintainers often manage numerous smaller packages, creating a wider attack surface.

Check out the episode below: