In its latest gambit to reduce the noise of unnecessary security alerts, Socket has acquired Coana, a startup founded in 2022 by researchers from Aarhus University in Denmark that tells users which vulnerabilities they can safely ignore.
“The problem with all security tools – and this is not something we came up with – is there are too many alerts,” Feross Aboukhadijeh, CEO of supply chain security biz Socket, told The Register. “There’s too much noise.”
And the better the tool is, the more noise it will generate.
“If you’re finding things that other tools aren’t finding, you’re going to end up with actually more alerts,” Aboukhadijeh explained.
Aboukhadijeh said Socket customers – software developers who use the company’s dependency scanning tools to catch vulnerabilities in app libraries – have raised the issue. They don’t want a thorough dependency scan to increase their workload unnecessarily.
Modern software applications tend to have a lot of dependencies. These are modules, frameworks, or libraries that get imported into an application to provide some set of capabilities or functions, so that the developer doesn’t have to reinvent the solution to an already-solved problem.
According to GitHub’s 2020 State of the Octoverse report [PDF], “JavaScript has the highest number of median dependencies (10), followed by Ruby and PHP (nine), and Java (eight), with .NET and Python having the least (six).”
But each of these direct dependencies may have indirect or transitive dependencies – modules imported by other modules. Imagine a dinner guest who brings a friend and that friend invites a few more people, each of whom brings a plus-one or more. Things get unmanageable quickly.
That’s how the median number of transitive dependencies in a JavaScript application is around 683.
In other languages like PHP, Ruby, and Python, the median dependency totals are lower – 70, 68, and 19 respectively – due to packaging philosophy differences across language ecosystems. Specifically, the JavaScript ecosystem, which relies on the npm Package Registry, encourages micropackaging – lots of little libraries – in a way that other languages don’t.
Point being, developers create apps that import a lot of software from third parties which needs to be scrutinized for security flaws.
Enter Coana. While Socket built tools to find vulnerabilities, Coana built tools to identify which vulnerabilities can be ignored.
Coana developed a way to do reachability analysis, in order to determine whether attackers can actually reach and exploit a software vulnerability.
Aboukhadijeh likened reachability analysis to looking at the number of doors in a house. If the front door is unlocked, there’s an immediate security risk. But if there’s an unlocked door in the basement behind several other locked doors, there are probably better things to worry about.
Other companies have implemented reachability analysis systems, said Aboukhadijeh, but he contends their tools are slow.
“You kind of can end up with a scan that takes like 10 hours to run, or on large code bases, it never completes,” he explained. “So it’s hard to actually deploy this.”
Coana’s implementation, he said, completes in a reasonable amount of time, with few false negatives or false positives.
Martin Torp, Coana’s -founder and chief product officer, said their approach relies on static analysis rather than runtime analysis, mainly because it’s much easier to deploy.
“But the difficulty with static analysis is that there is this trade-off between how precise we want the analysis to be versus how scalable it should be,” he said. “And finding that sweet spot between something that actually scales to really large enterprise applications but still produces really accurate results is quite difficult.”
Torp explained that Coana made its static analysis – analyzing code without running it – more efficient by making some assumptions about the way people actually program.
“So we know that there are certain patterns in code that you theoretically can write but that are really rare in practice,” said Torp. “By finding that heuristic for how people actually write code, we’ve been able to build something which is really good at scalable analysis but also has a very low false negative rate and low false positive rate.”
The results, he added, are really compelling for dynamic programming languages like JavaScript and Python, which are known to be harder to analyze statically because they have properties that aren’t evident until the program is running.
“The scenario from the user’s perspective is that they have an application,” Torp said. “That application depends on some software libraries, some packages. And in these packages, there are vulnerabilities. That’s almost always the case. And what the reachability analysis does is to scan through the whole application, including the dependency code, and filter out or mark all of the vulnerabilities that are actually relevant in the context of that particular application.”
Essentially, the user will be told that certain vulnerabilities can’t reasonably be exploited, lightening the workload for security teams.
The security workload isn’t getting better, it’s getting worse, said Aboukhadijeh, who said that Socket catches about 500 malicious packages a week.
“I’ve actually been told by the npm team that they don’t prioritize packages that are malicious if they have a low download count,” he said. ®
