CEO, fresh with funds, lays out the dependency dilemma
As it announced a $20 million round of Series A funding, the security shop has had a busy week with three additions to its code's toolkit:
- Full support for Go ecosystem, added in part after Socket spotted a marked increase in Golang attacks;
- A Chromium Extension, and a Firefox version, to check that open source packages are secure before downloading;
- A paid-for addition allowing an organization-wide dependency search, particularly designed for software certification.
"Open source software has revolutionized the way we develop applications, but it has also brought its own set of challenges," said its CEO Feross Aboukhadijeh, told The Register. "One of the biggest is ensuring the security of the vast web of dependencies that modern applications rely on."
"Applications just use so many dependencies, it boggles the mind. One illustrative example is the Discord desktop client which uses more than 19,000 dependencies built by more than 380,000 contributors from more than 200 countries."
By extending to Go Aboukhadijeh said Socket is trying to help developers create safer software by identifying security risks. Or it will do so two days hence, per the announcement's August 3rd, 2023 publication date.
Go, said Aboukhadijeh, "is a language that has seen rapid adoption among the developer community, especially among Socket customers. Go is known for its simplicity and efficiency, which makes it a popular choice for high-performance applications. However, like any language, it's not immune to security risks, especially because of its decentralized VCS-based dependency fetching approach."
Socket, which debuted last year, has a free tier for individual developers, plus paid team and enterprise tiers. It differentiates itself from competitors by noting that while other security scanners exist for evaluating open source packages, these generally look at known vulnerabilities. Socket takes the opposite approach and starts with the assumption that all open source packages may be malicious.
"Socket analyzes the behavior of a package to catch install scripts, obfuscated code, privileged APIs such as shell, network, filesystem, and environment variables," the security shop tweeted last year.
- Python Package Index had one person on-call to hold back weekend malware rush
- Worried about the security of your code's dependencies? Try Google's Deps.dev
- Wormhole encrypted file transfer app reboots Firefox Send after Mozilla fled
Socket's emergence follows the recent discovery of significant attacks on the software supply chain. These include attempts to compromise software applications through the third-party libraries or scripts run during the build and integration process.
The proliferation of such attacks has led to a US federal mandate to have programmers document their software development practices through a Software Bill of Materials (SBOM), among other related initiatives.
But wait, there's more
Socket also introduced a free browser extension for Chromium-based web browsers, Firefox, that aims to surface security analytics data for code packages hosted with the NPM registry. A version of the plugin is coming for Apple's Safari browser, too.
"Our goal is to produce information that otherwise would take developers hours of digging to uncover and to put it right at the developer’s fingertips at the crucial moment when they’re searching for a new open source package to add to the application," said Aboukhadijeh.
"The challenge of securing open source software is a recursive one," said Aboukhadijeh. "It's not only about app developers choosing secure dependencies, but it's also about those dependencies themselves relying on secure dependencies, and so forth. This complexity underscores the importance of making security information widely accessible."
Aboukhadijeh said Socket is happy to provide security analysis data for free at its website and pointed to an example of how such data can warn developers away from bad code.
"For example, here’s a Socket Package Report for a malware-laden package that as of publication is still hosted by NPM: https://socket.dev/npm/package/bobjoll/overview/6.640.3. For developers that want to dig deeper, Socket helpfully provides a deep link to the malicious file here: https://socket.dev/npm/package/bobjoll/files/6.640.3/scripts/script.js"
With the company's browser extension, that data will appear on relevant NPM package web pages, like so:
Another pending product – for customers choosing Socket's paid tier – will deliver the ability to run an organization-wide Dependency Search, also detailed in a postdated blog post. This capability lets organizations search for specific dependencies across all their software repositories to get a better idea of what's on the network.
"The White House's directive on SBOMs emphasized their importance in software transparency," said Socket software slingers Bradley Meck Farias, Mikola Lysenko, and Segun Adebayo in the post. "Sadly, few companies even collect SBOMs, let alone utilize them productively. Socket's Dependency Search isn't just about collecting these SBOMs but also providing [useful insights]."
That last sentence included the words "actionable" and "operationalizing," which is why we paraphrased the passage.
"We believe that all developers should have this crucial information at their fingertips as they decide which dependencies to use, regardless of whether their company is a Socket customer," said Aboukhadijeh. "This approach is not just about doing the right thing; it's also our way of paying it forward to the open source community that we're a part of." ®