Risk coverage

listen.dev provides comprehensive coverage against common attack vectors and known indicators of harmful behavior, as well as unknown and emerging threats. It covers two kinds of risks:

  1. Dependency risks

  2. CI/CD risks

1. Dependency Risks

These risks come from compromised dependencies–usually transitive– from public package registries such as npm and PyPi. Examples of dependnecy-related supply chain attacks are event-stream, ledger and PyTorch (torchitron).

Attack vectors could include namespace confusion, typo squatting or takeover of legitimate package via social engineering or credential leaks. In all cases, regardless of the entrypoint, the attack triggers inside the build system.

2. CI/CD risks

These are risks that come from 3rd parties, such as compromised build tools, misconfigurations and other vulnerabilities.


Why do you need proactive security at build-time?

Our starting coverage is on threats that trigger during installation of packages in the build phase-- the stage where 3rd-party libraries get bundled with internal application code. These threats can compromise development environments and CI/CD systems, or can be used by the attacker as an entrypoint to infiltrate production applications and infrastructure.

Threats that trigger during build processes in CI/CD environments

If a malicious package gets installed during the build, an attacker can perform some of these activities in the context of the build system:

  • Steal code and any hardcoded sensitive data along with it.

  • Plant a backdoor in code to be used after the code is deployed to the production environment.

  • Steal compute resources like CPU, RAM, etc. for activities like crypto mining.

  • Steal environment variables, sensitive files, credentials, certificates, etc.

  • Perform lateral movement and privilege escalation with the data collected.

listen.dev provides protection against such threats through the following approach:

  1. Monitoring builds to define baseline behavior: listen.dev profiles the behavior of dependencies (including network, filesystem, and process activities) in your CI pipeline to understand their benign state in trusted environments.

  2. Detect Drift: we continuously scan for any deviations from the established baseline, detecting unusual activities such as unexpected file modifications, connections to suspicious URLs, or the use of potentially malicious (or tampered) binaries.

  3. Proactive defense: in case of anomalous changes in package behavior, we alert users pre-emptively inside their workflows before the package is downloaded in downstream environments. This ensures early detection of vulnerabilities and maintains the integrity of development infra.

  4. Policy enforcement: listen.dev enables safe development practices at scale and protects software integrity through policy-based controls to block the completion of suspicious builds. This allows for prompt remediation in the development process.

Feedback and requests

Our team is constantly improving the ruleset and adding coverage for more attack vectors. If you have any specific requests or feedback, please reach out to us.

Last updated

© 2023 Garnet Labs