Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
View our Privacy Policy for more information.

deny icon
Deny
allow icon
Accept

Safety Gateway

Secure Third-Party Dependency Installation

Safety Gateway is a virtual package repository used to manage, secure, and monitor the usage and installation of third-party packages.
Learn more
Safety Projects dashboard.

Stop Downloading Packages from PyPI and NPM Directly

Typosquatting attacks, malicious packages, and other novel attack vectors pose significant risks to any organization leveraging open-source dependencies.

In recent years, the number of such attacks has increased dramatically, and it is becoming increasingly dangerous to manage and monitor package installations from central repositories such as PyPI and NPM across large development teams.Performing scans only in CI/CD and production means your local development environments could be vulnerable to attack.

By facilitating the installation and use of packages which meet your organization's Safety policy, Gateway prevents malicious and vulnerable packages from being introduced.

Protect Against Typosquatting and Malicious Package Attacks

Typosquatting attacks can be a significant threat to software security.

Safety Gateway shields your organization by detecting and preventing the installation of packages with names similar to legitimate ones but contain malicious code.

By effectively countering typosquatting, Safety Gateway reduces the risk of inadvertent exposure to security vulnerabilities.


Example:

tensroflow is an example of a typosquatting package that was uploaded to PyPI on Feb 10, 2023. Containing malicious code, this package was effectively impersonating the popular package tensorflow.

An intentional single character typo like this can result in malware infecting thousands of machines within hours of being uploaded to package authorities such as PyPI or NPM.

If attempted while using Safety Gateway, the installation of the malicious or untrustworthy package would be blocked, alerting the user and logging the Finding to the central dashboard.

Read more about how Safety has detected such malicious packages long before the package authorities detect them.

Learn more from one of our experts
Using Safety, installing "tensorflow" is permitted.
Copied!
pip install tensroflow
Collecting tensorflow
Downloading tensorflow-2.13.0-cp311-cp311-macosx_12_0_arm64.whl (1.9 kB)
If the developer mistypes "tensroflow", Gateway blocks the installation.
Copied!
pip install tensroflow
tensroflow cannot be installed.
This is a malicious package.
Did you mean to install tensorflow? Y/N

Configure and Deploy in Minutes, Not Weeks.

Traditional package managers are complex, requiring weeks to configure and deploy, and significant overhead to maintain.

Safety Gateway can be configured and deployed in minutes, with baseline policies that are appropriate for most organizations pre-configured.

As an example, Safety Gateway can be configured to allow installation of packages that are:

- Greater than 30 days old
- In the top 50,000 packages available on pip or npm
- Free from known high-risk vulnerabilities

By configuring Gateway in this way, developers will be permitted to install dependencies that are well-maintained, popular and which contain no known vulnerabilities that could potentially impact your projects.

Safety Platform - Findings

Shift Security Left

Developer-First: easy to use and deploy. Switch to Gateway's secure package repository across your team in minutes.
Unchanged Development Process: continue using familiar package managers like pip, poetry, pipenv and npm.
Safety Gateway is a Secure Version of PyPI and NPM that you can configure. It provides clear and actionable recommendations for secure package versions based on your organization's policies.
Safeguard Against Malicious Attacks: block typosquatting and other novel threats from infiltrating your systems and ensure the integrity and security of your applications.
Central Policy Management, allowing DevSecOps to build package usage policies aligned with your organization's risk posture. Logging and audit trails are available for all package installations, allowing you to identify vulnerable installations across your environments.
Compliance and Audit:
Maintain accurate Software Bill of Materials (SBOM) and meet compliance requirements. By integrating Safety Gateway into your development process, you can ensure secure software development practices while providing the necessary audit trails and reports.
Safety Platform - Findings

Protection at every stage of the development lifecycle

By shifting security left and preventing the installation of vulnerable and malicious packages earlier in the software development lifecycle, we safeguard against such attack vectors before they reach CI/CD or Production. Safety Gateway takes a proactive stance by bringing security to the developer's machine, identifying vulnerabilities before they reach critical stages of development.

What is safe today may not be tomorrow. New vulnerabilities are often discovered days or weeks after a package is published. Safety CLI provides ongoing monitoring, allowing issues to be identified and fixed, and for policies to be automatically updated to prevent further installations.

Seamless Integration with Safety CLI and Platform

Safety Gateway empowers you to secure your software supply chain by preventing the entry of malicious and vulnerable packages.

It integrates seamlessly with the rest of the Safety suite, with all installation logs recorded in Safety Platform.

Safety Gateway supports multiple languages and ecosystems, including Python, Java, and JavaScript.

Whether you rely on pip or npm, Safety Gateway provides comprehensive protection.

Safety Platform - Findings

Reduce vulnerability noise by 90%.
Get a demo today to learn more.

Get a Demo