The Changelog: Software Development, Open Source

Securing the open source supply chain (Interview)

Mar 1, 2022

Feross Aboukhadijeh, an open-source developer known for projects like Socket and WebTorrent, joins to discuss the launch of Socket, a tool designed to secure the open-source supply chain. Feross highlights how supply chain attacks have eroded trust in open-source software. He explains Socket’s proactive approach to treating all open-source code as potentially malicious and discusses the alarming prevalence of risks like typo-squatting and package compromises. The conversation sheds light on the collective responsibility needed to enhance security in the tech community.

01:28:21

Creator website

Episode guests

Feross Aboukhadijeh

AI Chapters

Episode notes

Intro

3min

A Nostalgic Journey Through Time and Numbers

2min

Securing Software: The Wormhole Experience

26min

Navigating the Dangers of Typo-Squatting in Open Source Libraries

3min

Navigating Typo Squatting in Software Packages

25min

Navigating Pricing Models in Software Development

4min

Navigating Open Source and Security in Startup Development

23min

Addressing Vulnerabilities in Open Source Security

2min

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

Join the discussion

Changelog++ members get a bonus 10 minutes at the end of this episode and zero ads. Join today!

Sponsors:

Sentry – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG and get the team plan free for three months.
Square – Develop on the platform that sellers trust. There is a massive opportunity for developers to support Square sellers by building apps for today’s business needs. Learn more at developer.squareup.com to dive into the docs, APIs, SDKs and to create your Square Developer account — tell them Changelog sent you.
Retool – Retool is a low-code platform built specifically for developers that makes it fast and easy to build internal tools. Instead of building internal tools from scratch, the world’s best teams, from startups to Fortune 500s, are using Retool to power their internal apps. Learn more and try it for free at retool.com/changelog
WorkOS – A platform that gives developers a set of building blocks for quickly adding enterprise-ready features to their application. Add Single Sign-On (Okta, Azure, Google, Microsoft OAuth), sync users from any SCIM directory, HRIS integration, audit trails (SIEM), free magic link sign-in. WorkOS is designed for developers and offers a single, elegant interface that abstracts dozens of enterprise integrations. Learn more and get started at WorkOS.com

Featuring:

Feross Aboukhadijeh – Website, GitHub, X
Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
Jerod Santo – GitHub, LinkedIn, Mastodon, X

Show Notes:

Something missing or broken? PRs welcome!

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.