Stop Downloading Packages from PyPI and NPM Directly
Typosquatting attacks, malicious packages, and other novel attack vectors pose significant risks to any organization leveraging open-source dependencies.
In recent years, the number of such attacks has increased dramatically, and it is becoming increasingly dangerous to manage and monitor package installations from central repositories such as PyPI and NPM across large development teams.Performing scans only in CI/CD and production means your local development environments could be vulnerable to attack.
By facilitating the installation and use of packages which meet your organization's Safety policy, Gateway prevents malicious and vulnerable packages from being introduced.
Protect Against Typosquatting and Malicious Package Attacks
Typosquatting attacks can be a significant threat to software security.
Safety Gateway shields your organization by detecting and preventing the installation of packages with names similar to legitimate ones but contain malicious code.
By effectively countering typosquatting, Safety Gateway reduces the risk of inadvertent exposure to security vulnerabilities.
tensroflow is an example of a typosquatting package that was uploaded to PyPI on Feb 10, 2023. Containing malicious code, this package was effectively impersonating the popular package tensorflow.
An intentional single character typo like this can result in malware infecting thousands of machines within hours of being uploaded to package authorities such as PyPI or NPM.
If attempted while using Safety Gateway, the installation of the malicious or untrustworthy package would be blocked, alerting the user and logging the Finding to the central dashboard.
about how Safety has detected such malicious packages long before the package authorities detect them.
Configure and Deploy in Minutes, Not Weeks.
Traditional package managers are complex, requiring weeks to configure and deploy, and significant overhead to maintain.
Safety Gateway can be configured and deployed in minutes, with baseline policies that are appropriate for most organizations pre-configured.
As an example, Safety Gateway can be configured to allow installation of packages that are:
- Greater than 30 days old
- In the top 50,000 packages available on pip or npm
- Free from known high-risk vulnerabilities
By configuring Gateway in this way, developers will be permitted to install dependencies that are well-maintained, popular and which contain no known vulnerabilities that could potentially impact your projects.
Shift Security Left
Maintain accurate Software Bill of Materials (SBOM) and meet compliance requirements. By integrating Safety Gateway into your development process, you can ensure secure software development practices while providing the necessary audit trails and reports.
Protection at every stage of the development lifecycle
By shifting security left and preventing the installation of vulnerable and malicious packages earlier in the software development lifecycle, we safeguard against such attack vectors before they reach CI/CD or Production. Safety Gateway takes a proactive stance by bringing security to the developer's machine, identifying vulnerabilities before they reach critical stages of development.
What is safe today may not be tomorrow. New vulnerabilities are often discovered days or weeks after a package is published. Safety CLI provides ongoing monitoring, allowing issues to be identified and fixed, and for policies to be automatically updated to prevent further installations.
Seamless Integration with Safety CLI and Platform
Safety Gateway empowers you to secure your software supply chain by preventing the entry of malicious and vulnerable packages.
It integrates seamlessly with the rest of the Safety suite, with all installation logs recorded in Safety Platform.
Whether you rely on pip or npm, Safety Gateway provides comprehensive protection.