As developers of the modern-day world, we often rely upon open-source libraries and frameworks to build various products. As others create these libraries - their source code is often overlooked and your projects might be at risk of supply-chain attacks. In a worst-case scenario, some open-source libraries could execute malware onto your devices and steal sensitive information. This is every developer's worst nightmare and PrivJs Safe intends to solve this problem.
PrivJs safe is an online service that blocks the installation of vulnerable open-source packages in your project. The security check is performed during install time and hence vulnerable packages are prevented from being installed into your machines.
PrivJs Safe acts as a firewall for protection against vulnerable npm packages. It is built mainly for organizations to log & secure all open-source package installations across all devices in the company and shield them from supply-chain attacks.
A supply chain attack can be explained in multiple ways, but for the context of developers - it is a type of cyber-attack that compromises the security of an organization through third-party dependencies. For example, if a dependency in your project is vulnerable to Remote Code Execution attacks - then it could act as an exploit for hackers to gain access to your servers.
Supply chain attacks are not just limited to vulnerabilities. Some packages create and execute malware on the devices to sniff out confidential information. Some dependencies are compromised through account takeover leading to the creation of a backdoor. Usually, these risks are identified but developers usually find out about these vulnerabilities after the dependencies are installed - which in our opinion is too late.
It only takes a few seconds for a malware to steal confidential data from your device.
PrivJs maintains a database of vulnerable packages & the versions and actively blocks the installation of those vulnerable package versions. So, when a developer runs the command $ npm install <some-package> - this package is first scanned for vulnerabilities by us, and only if it passes the security check, the installation proceeds. Otherwise, the installation is blocked.
PrivJs actively blocks the installation of vulnerable npm packages - enabling your organization to develop software without having to worry about underlying security vulnerabilities. Apart from blocking the vulnerabilities, PrivJs Safe also allows you to selectively **allow** the installation of packages that you trust or use as developer dependencies.
With a subscription to PrivJs Safe, your team also gets a complimentary license to the PrivJs Safe ESLint Plugin - which helps you to identify and secure vulnerable imports in your project.
PrivJs Safe has been a dream come true for us. Give it a try and let us know if you need anything from our end. We would be delighted to talk to you.