This post is the first in a new monthly series where we highlight the enterprise security tools we use internally and explain how they help us build secure software.
Here at SendSafely, we are avid users of Socket, the software supply chain security platform. By design, Socket helps protect organizations from malicious, vulnerable, or risky open source dependencies by preventing their introduction and use. As enterprise customers, we utilize the full Socket tool suite including the popular Github integration, CLI, and now also the recently launched Socket Firewall.
Unlike many traditional vulnerability scanners that focus primarily on known CVEs, Socket analyzes package behavior and history to detect potential threats before they reach an organization's development and/or production environments. When possible, Socket will also provide a "reachability" rating for each alert to help assess exploitability risk. For example, Socket will trigger alerts when it identifies dependencies that:
- Execute unexpected install scripts
- Access the network or filesystem in unsafe ways
- Contain obfuscated or suspicious code
- Introduce unnecessary attack surface
- Have exploitable code paths that are actually reachable from your application
Socket integrates directly into development workflows, providing real-time feedback on pull requests, CI pipelines, and local development environments. Should a risky dependency be detected, Socket provides clear, contextual alerts that can be actioned immediately.
Why Socket Matters to SendSafely
Like most modern software companies, SendSafely relies on an inventoried selection of open source libraries. Open source accelerates innovation, but it also introduces supply chain risk. Malicious packages, typosquatting, compromised maintainers, and unsafe dependency behaviors have become increasingly common attack vectors in today's threat landscape. For example, the recent high-profile “Shai Hulud” attacks are a clear indication that things are likely to get worse before they get better, especially as bad actors continue to sharpen their TTP’s.
For us, protecting against those risks is critical. Socket helps by giving our team early visibility into emerging or previously unknown threats, not just vulnerabilities that have already been catalogued. This kind of proactive protection aligns well with how we think about security: embedded into the development process, not bolted on at the end.
A Good Fit for Our Security Culture
We look for security tools that are proactive, developer-friendly, and easy to integrate. Socket fits naturally into our existing GitHub and CI workflows, allowing us to shift security left without adding friction. Most importantly, it helps us continue to strengthen our proactive and preventative security controls while maintaining the high security bar our customers trust us to uphold..
What's Next
Socket is one of several enterprise security tools that help us build and operate securely at SendSafely. In future posts, we'll continue this series by highlighting additional tools and sharing how they fit into our broader security strategy.
If you're interested in secure software development or supply chain security, stay tuned.
SendSafely: Integrated File Transfer for the Apps you Love
If you are looking for a secure way to send or receive files with anyone, or simply need a better way to transfer large files, our platform might be right for you.