Software supply chain security is admittedly a somewhat dry topic, but knowing what components and code go into your day-to-day devices and devices is an important part of the software development process that billions of people rely on daily.
The software is no different than any other product you create and ship; it is based on using components created by others, often as source code, and ensuring that it does not break or have weaknesses that compromise the final product. Most of the software in the world is based on open source code written by developers who publish their work to the public. It also means making sure that the developers will always act in good faith. But projects are being abandoned and taken over by others who introduce backdoors or malware, or, as seen recently after Russia’s invasion of Ukraine, the rise of “protest software” in which open source software developers change their code wipe the contents of Russian computers to protest the Kremlin’s intrusion.
Feross Abuhadie, prolific open source maintainer and founder ConnectorTechCrunch told TechCrunch in a recent call that development teams often place too much trust in open source, which can be disastrous if an intentional vulnerability is introduced into the supply chain and goes undetected.
Software is usually easier to fix than autonomous cars and other equipment what needs to be remembered. But the consequences of software compromise can be dire and widespread. Broken software updates led to massive compromise of US federal government networks, ransomware attacksand targeting corporate password managers purpose of stealing confidential corporate secrets.
Abuhadije founded Socket earlier this year along with a team of other open source maintainers who saw firsthand some of the worst attacks on the software supply chain in the wild. And so the team began work on creating an application that developers can use to detect and block the introduction of potentially malicious code into their projects from millions of open source repositories.
The app connects to a developer’s GitHub account and performs dozens of well-known actions looking for package issues, such as potentially suspicious code changes, such as if an open source package you depend on suddenly starts trying to network or get shell access , which may indicate that the package has been compromised.
Abuhadijeh described Socket as a bright label for the capabilities of an open source package, highlighting what access, permissions and behavior the package has, such as the installation scripts that many types of malware use to infiltrate a victim’s system.
“We can’t say with certainty whether a packet communicating with the network is a bad sign or not, because if this is a web server, then it will obviously need to do it!” Abuhadija said. But integrating this visibility into the process of creating software is what developers need to prevent attacks on the supply chain. “This is not some sophisticated artificial intelligence or machine learning,” he said, speaking of his own product. “There is no way to hide that a package is running an installation script, it is declared as part of the package. So why not bring this to the attention of developers?
Socket is still in its infancy and entering a crowded market, but is already attracting investment. The early-stage startup raised $4.6 million in a seed funding round from more than a dozen angel investors and security leaders, including former GitHub CEO Nat Friedman, Keybase co-founder Max Krohn, and Unusual Ventures, Village Global and South. Park Commons. .
Abuhadije told TechCrunch that the funding will help expand the startup’s engineering, analytics and research teams to build its developer tools.
Credit: techcrunch.com /