A group of software package maintainers have created a tool for defending applications that depend on open source JavaScript libraries.
Called Socket, the tool uses a new, proactive defense against open source software OSS supply chain attacks.
Supply chain attacks happen when a miscreant compromises a package and uses it to distribute malicious code to applications that depend on it. The tactic has become a growing threat, especially as more and more applications come to increasingly rely on open source software components.
Traditional methods fall short
“Everyone on the Socket team is an open source maintainer. Together, we have over 1 billion monthly downloads to our names,” Feross Aboukhadijeh, founder and CEO of Socket, told The Daily Swig. “We witnessed firsthand how supply chain attacks have swept across open source communities and damaged trust in open source.”
Maintaining the security of open source software is becoming increasingly challenging, especially since every dependency can lead to dozens or hundreds of transitive dependencies.
The security industry is mostly focused on vulnerabilities that have already been discovered. There are many CVE scanners that monitor applications for known vulnerabilities.
But vulnerabilities can take weeks or months to be discovered, and their emergence won’t stop supply chain attacks, Aboukhadijeh warns.
One study from 2020 shows that on average, a malicious package is available for 209 days before being publicly reported. Another states that 20% of malware “persist in package managers for over 400 days and have more than 1K downloads.”
“In today’s culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even hours,” Aboukhadijeh said. “This isn’t enough time for a CVE to be created and make its way into the vuln scanning tools that teams use.”
A proactive approach
Socket has been designed with the assumption that all open source packages may be malicious. Instead of searching for known vulnerabilities, it tries to detect signs of compromised packages.
According to Aboukhadijeh, Socket uses “deep package inspection” to characterize the behavior of an open source package. It analyzes both the package code and maintainer behavior to detect the tell-tale signs of a supply chain attack.
Socket runs static analysis on a JavaScript package and all of its dependencies to look for risk markers such as install scripts, obfuscated code, high entropy strings, or usage of privileged APIs such as shell, network, filesystem, eval(), and environment variables.
“For example, if a new patch or minor version of a package adds an install script and new code to communicate with the network, that’s a huge red flag and something that every team should want to know about before they update to the new version,” Aboukhadijeh said. “Looking for just these two signals would have stopped a huge percentage of recent npm supply chain attacks.”
Socket has a total of 70 detection markers in five different categories: supply chain risk, quality, maintenance, known vulnerabilities, and license.
“We use each of these issues as signals into the supply chain risk formula that determines whether we will raise an alert,” Aboukhadijeh explained.
Socket to me
The tool is available as a paid app for GitHub and also has a free version with limited functionality. Aboukhadijeh says that in two months since its launch, it is already protecting hundreds of organizations and tens of thousands of repositories.
In the future, the team will be adding more risk detection techniques as well as advanced reporting features. They will also add support for more languages (Java, Go, Python) and integrations with other platforms (GitLab, Bitbucket).
