Securing the software supply chain is admittedly somewhat of a dry topic, but knowing which components and code go into your everyday devices and appliances is a critical part of the software development process that billions of people rely on every day.
Software is just like any other product you build and ship; it relies on using components that others have built, often in the form of source code, and making sure that it doesn’t break or have weaknesses that compromise the final product. Most of the world’s software relies on open source code that’s written by developers who publish their work for anyone to use. That also means a reliance on trusting that the developers will always act in good faith. But projects get abandoned and picked up by others who plant backdoors or malware, or, as seen recently since Russia’s invasion of Ukraine, a rise in “protestware,” in which open source software developers alter their code to wipe the contents of Russian computers in protest of the Kremlin’s incursion.
Feross Aboukhadijeh, a prolific open source maintainer and the founder of Socket, told TechCrunch in a recent call that development teams often put too much trust in open source code, which can be catastrophic if a deliberate vulnerability is introduced into the supply chain and goes unnoticed.
Software is generally easier to fix than autonomous cars and other hardware that have to be recalled. But the consequences of a software compromise can be dire and widespread. Tainted software updates have led to the mass compromise of U.S. federal government networks, ransomware attacks and the targeting of enterprise password managers aimed at stealing sensitive corporate secrets.
Aboukhadijeh founded Socket earlier this year alongside a team of fellow open source maintainers who have seen firsthand some of the worst software supply chain attacks in the wild. And so the team began work on building an app that developers can use to detect and block introducing potentially malicious code into their projects from millions of open source code repositories.
The app plugs in to a GitHub developer’s account and runs through dozens of known behaviors, looking for package issues like potentially suspicious changes to the code, such as if an open source package you depend on suddenly starts trying to communicate over the network or getting shell access, which might indicate that the package has been compromised.
Aboukhadijeh described Socket as offering a nutrition-fact label of an open source package’s capabilities by illuminating what access, permissions and behaviors a package has, like install scripts, which many kinds of malware use to hook into a victim’s system.
“We can’t tell you with certainty whether a package is talking to the network is a bad sign or not, because what if it’s a web server — then it’s obviously going to need to do that!” said Aboukhadijeh. But having that visibility integrated into the software building process is what developers need to prevent a supply chain attack. “This isn’t some complicated AI or machine learning thing,” he said, speaking of his own product. “There’s no way to hide that a package runs an install script, it’s declared as part of the package. So why not raise that to a developer’s attention?”
Socket is still in its early days and enters a crowded market, but is already attracting investment. The early-stage startup has raised $4.6 million in seed round funding from over a dozen angel investors and security leaders, including ex-GitHub CEO Nat Friedman, Keybase co-founder Max Krohn, as well as Unusual Ventures, Village Global and South Park Commons.
Aboukhadijeh told TechCrunch that the funding will help grow the startup’s engineering, security analysis and research teams to build out its tools to developers.