Case study
MetaMask improved security by integrating Socket, which identifies potential supply chain threats within minutes, making it convenient for developers to check new dependencies for supply chain considerations for the first time to date.
Socket's streamlined configuration allows MetaMask to customize security features easily without complexity, making it integral to their security operations.
MetaMask uses Socket to efficiently manage extensive dependency trees, ensuring rapid identification of potentially malicious packages.
MetaMask appreciates Socket for its AI-driven capabilities that detect threats before any human could, offering a robust defense against unknown risks.
Consensys is the leading blockchain and web3 software company. Since 2014, Consensys has been at the forefront of innovation, pioneering technological developments within the web3 ecosystem. The company's product suite includes the MetaMask platform, Infura, Linea, Diligence, and their NFT toolkit Phosphor.
MetaMask is a self-custodial cryptocurrency wallet, which enables millions of users worldwide to securely manage their keys and digital assets without requiring extensive technical knowledge.
Zbyszek Tenerowicz, Senior Staff Security Engineer at Consensys, is responsible for the JavaScript security of MetaMask at runtime. Tenerowicz heads the Security Lab team, which is part of a layered security team that includes members who also handle phishing attempts, threat intel, app security, and a bug bounty program. Security Lab is building LavaMoat and contributing to Endo, which are OSS tools for maintaining high security of composed software at runtime.
Due to the extensive use of open source JavaScript dependencies and the inherent risks associated with managing a cryptocurrency wallet, MetaMask is committed to maintaining iron-clad defenses against supply chain attacks.
“My mission is to make sure that MetaMask is not going to be easily compromised through its dependencies," Tenerowicz said.
The crypto wallet's applications, both the browser extension and mobile app, are built on JavaScript and include two of the largest dependency trees Tenerowicz has seen in his career.
The size and complexity of these dependency trees increases the risk of introducing malicious code for any organization. MetaMask has the added need for historical analysis of package versions to ensure previous versions used in the product are secure whenever a vulnerability in older versions of a package is discovered.
MetaMask uses LavaMoat for runtime protection against executing malicious code. It's a proactive measure against unknown threats. Socket complements LavaMoat in the company's security infrastructure by providing early warnings about suspicious packages, potentially within minutes of their release. Despite having some of the strongest tools to prevent malicious packages from working at runtime, they would rather detect packages with malicious intents early than put the protections to the test in production.
“Socket is doing a big chunk of work now to identify potential threats before they reach us," Tenerowicz said.
Although Socket also detects known vulnerabilities (CVE's), its AI-powered threat detection is the key feature that distinguished it from competitors and made MetaMask Security want to adopt it.
"Socket focuses on malicious packages and this is what we really were after," Tenerowicz said. "We use tools like npm audit to get information about known vulnerabilities, so we’re obviously tracking that, but that’s old news for us. We were not after another tool like that. We needed a tool that would automatically warn us about things no human has discovered yet. That’s where Socket shines. It occupies a totally different area in the software lifecycle."
As MetaMask's appsec team tracks dependencies they need to update, occasionally there's a new major vulnerability in a dependency they need to address.
“I’ve been using the Dependency section in the Socket dashboard to quickly find where we’re using that dependency, and this is something I wanted all along," Tenerowicz said. "The moment the Dependency tab showed up - we were already working on using an API to push this data in before it was available from historical scans because we really wanted that feature."
Socket's organization-wide Dependency Search feature enables MetaMask to quickly search through their repositories to figure out if they are using a vulnerable package.
"If someone has derived a key with a vulnerable version, updating MetaMask to a newer version doesn’t help them. So we need to be able to detect if we are using a specific version as well as our historical usage of versions of that package. I have no idea how to figure that out across many repositories without Socket's Dependency tab."
MetaMask's decision to integrate Socket into their security infrastructure was significantly influenced by its integration points and simplicity of delivering information. Unlike other complex security tools that can be overwhelming with excessive features and configurations, Socket offers a streamlined experience that simplifies security management without sacrificing depth or functionality. This ease of use has made it an essential component of MetaMask's security strategy.
"Socket is not this big pile of tooling that you have to accept as a whole or reject as a whole," Tenerowicz said. "Earlier in my career, one of the problems with rolling out a supply chain security tool was that it was so complex that people were intimidated by it - even the people who wanted it rolled out were intimidated by it.
"What I like about Socket is that you get to tailor what it’s doing and you don’t need to buy into all the available features. There’s only one place where you go and configure it. There’s not a huge admin panel with 50 views to explore."
Tenerowicz said that, as a member of the security team who isn't committing code, the value of Socket lies in streamlining decision-making when updating MetaMask's security policy.
"I don’t feel overwhelmed and I don’t dread reviewing my settings to figure out if I want to change the security policy," he said. "I’m not dreading new features. I’m comfortable that any new feature is easy to opt in and I like the defaults."
MetaMask’s integration of Socket enables the company to stay ahead of potential threats, protecting millions of users and their digital assets. With support for both current and historical dependency analysis, MetaMask ensures that its extensive use of open source dependencies remains secure.
Interested in Socket for your organization?
Schedule a demo with our team and try Socket.