Doctolib Partners with Socket to Automate Supply Chain Threat Detection

About Doctolib#

Doctolib is a premier healthcare scheduling platform dedicated to providing secure and reliable solutions for managing patient appointments. By prioritizing security in every stage of development, Doctolib ensures that their services meet and exceed industry standards for safety and performance, safeguarding sensitive patient information for more than 90 million patients.

Challenge#

Prior to partnering with Socket, Doctolib employed standard security measures, including manual code reviews, penetration testing, and automatic updates of third-party libraries via Dependabot for their primarily Typescript and Ruby on Rails codebase.

Despite these efforts, the security team identified a critical gap: the lack of an automated solution to detect and mitigate supply chain attacks, specifically those involving malicious or vulnerable libraries. This blind spot posed significant risks, as harmful dependencies could compromise both the development environment and the security of end-users.

Solution#

Doctolib integrated Socket into their continuous integration (CI) pipeline to automate the detection of malicious libraries and supply chain threats. According to Frédéric Charpentier, Head of Product Security at Doctolib, adding Socket's zero-day supply chain attack prevention was a no-brainer and his team was able to plug it right into their current security measures with no learning curve.

The seamless integration of Socket required minimal effort from the security team. Frédéric said they found the onboarding to be straightforward and emphasized the ease of adoption, stating, “Socket was a frictionless integration into our processes. It didn’t disrupt our existing workflows, allowing us to incorporate the tool efficiently without impacting our productivity.”

Results#

Since implementing Socket, Doctolib has experienced enhanced confidence in their security measures. The automated detection capabilities have effectively filled previously unaddressed risk areas, ensuring comprehensive coverage of their software supply chain.

Frédéric noted, “Socket adds a critical layer of security by covering risk areas that were previously not addressed. It gives us the confidence that our supply chain is monitored effectively, allowing developers to safely incorporate external dependencies without compromising our security standards.”

Additionally, Socket has been instrumental in helping Doctolib meet compliance requirements. External auditors have recognized the strengthened security posture facilitated by Socket’s continuous monitoring and threat detection. Frédéric highlighted, “When explaining our security posture to external auditors, Socket was always appreciated because it demonstrates our commitment to covering all aspects of continuous development supply chain security.”