Risk coverage

listen.dev provides comprehensive coverage against common attack vectors and known indicators of harmful behavior, as well as unknown and emerging threats. It covers two kinds of risks:

  1. Dependency risks

  2. CI/CD risks

1. Dependency Risks

These risks come from compromised dependencies–usually transitive– from public package registries such as npm and PyPi. Examples of dependnecy-related supply chain attacks are event-stream, ledger and PyTorch (torchitron).

Attack vectors could include namespace confusion, typo squatting or takeover of legitimate package via social engineering or credential leaks. In all cases, regardless of the entrypoint, the attack triggers inside the build system.

2. CI/CD risks

These are risks that come from 3rd parties, such as compromised build tools, misconfigurations and other vulnerabilities.

Why do you need proactive security at build-time?

Our starting coverage is on threats that trigger during installation of packages in the build phase-- the stage where 3rd-party libraries get bundled with internal application code. These threats can compromise development environments and CI/CD systems, or can be used by the attacker as an entrypoint to infiltrate production applications and infrastructure.

Threats that trigger during build processes in CI/CD environments

If a malicious package gets installed during the build, an attacker can perform some of these activities in the context of the build system:

  • Steal code and any hardcoded sensitive data along with it.

  • Plant a backdoor in code to be used after the code is deployed to the production environment.

  • Steal compute resources like CPU, RAM, etc. for activities like crypto mining.

  • Steal environment variables, sensitive files, credentials, certificates, etc.

  • Perform lateral movement and privilege escalation with the data collected.

Last updated

© 2024 Garnet Labs