Socket plugs in $40M to strengthen software supply chain

Biz aims to scrub unnecessary dependencies from npm packages in the name of security

Security-focused developer Socket announced on Tuesday it has connected with another $40 million in funding to further its efforts to safeguard the software supply chain.

That brings the total raised by the firm – launched in 2021 to develop a scanning mechanism for finding security issues in open source software packages – to $65 million.

Feross Aboukhadijeh, founder and CEO of Socket, argued that defending the software supply chain across six programming languages involves tidying up the unruly JavaScript/TypeScript ecosystem.

In an interview with The Register, he described a dustup last year in the JavaScript/TypeScript community involving a new maintainer who took over a project and added extensive legacy support in the form of new dependencies.

Modern open source software development involves a lot of dependencies – applications literally depend upon imported packages. These are typically libraries or modules that are fetched from a software registry to perform specific functions. Each in turn may have its own dependencies, organized in what's known as the dependency tree. They're part of what's referred to as the software supply chain.

In the JavaScript/TypeScript ecosystem, the npm Registry, used by more than 17 million developers, hosts more than two million packages. And since these packages tend to be written by third parties, developers want to know that they can trust the creators of those packages and all the included dependent packages.

But trust isn't always warranted – as incidents like the xz affair and the ua-parser-js compromise have demonstrated.

So adding dozens of dependencies to an existing package means anyone using that package should evaluate the security of those new dependencies, in addition to weighing the impact of increased application size.

"I think it was in the dozens, maybe, you know, around 40 or 50 new dependencies to this project," Aboukhadijeh explained. "It upset a lot of the users because they were like, 'We don't want all this extra code in our apps.' And that it got us thinking, 'Could we just give both people what they want?'"

Socket's solution, released last week, is Socket Optimize – a command line interface (CLI) inspired by the e18e project that aims to prune dependency trees by removing unnecessary dependencies.

Optimize is a command that npm users can use to fetch optimized packages, which have had unnecessary dependencies and polyfills – code for backward compatibility – removed. The CLI pulls these trimmed-down versions of popular packages from the new Socket Registry rather than from npm.

"Why is the maintainer the one making the decision about what browsers to support and what Node.js environments to support?" asked Aboukhadijeh. "It should be the end user who's using the code."

Optimize represents an attempt to give the end user more control over software dependencies, by cutting out unnecessary functions – similar to the way that certain Docket images contain reduced Linux distributions that demand less computing resources.

"The other thing that motivated us was that we've had customers who have come to us and said, 'What do we do when we get an alert on a package and it's not actionable because the package is abandoned, like it's not maintained anymore. How are we supposed to fix the vulnerability or fix the supply chain attack or whatever it is when it's not maintained?' And so they're left with having to fork it and maintain it themselves."

According to Aboukhadijeh, Socket detects and prevents more than 100 zero-day software supply chain attacks every week.

He claimed that the code shop has improved its technology by expanding the data points – or signals – its scanner considers.

"I think expanding the number of signals is the most fruitful thing because every time one of these attacks happens and we don't catch it, we want to ask ourselves why we didn't catch it and what we could have done to catch it," he said.

"That's kind of how we started the company. Our team was just observing supply chain attacks happening in the npm ecosystem. And we just kept saying, 'how could I write a rule like a static analysis rule or a lint rule that could have caught this attack?'"

Aboukhadijeh recalled that the first supply chain attack that caught his attention was the event-stream attack in 2017 which, like the xz incident, involved a maintainer who subverted the package with malicious code.

"If you look at just the way that we caught event-stream as a community and the way that we caught xz, it's extremely disturbing to me – because it was a total accident in both cases," he noted.

These incidents showed that a sufficiently patient project contributor who makes positive contributions will probably have the opportunity to poison the project at some point, Aboukhadijeh contended.

"If you're gonna make good changes and you're gonna be a community member for that long, I mean, you can get access to probably any project," he said. "So you really have to analyze the source code and you really have to try to characterize the behavior of the code and try to understand what it's gonna do when it's run. And that's the only way to catch these things."

And another $40 million investment will certainly help. ®

More about

TIP US OFF

Send us news


Other stories you might like