My whole career has revolved around helping enterprises use open source software, and the vast majority of that time I’ve focused on security. The last few years in particular, I have been primarily focused on application security. In that time, I’ve noticed that while there has been an explosion of tools in this segment, there are still some serious unsolved problems, especially where the software supply chain is concerned. Hunted Labs is the first to not only see the same gaps I’ve identified, but to actually do something about them. So, when the opportunity presented itself to join the team, I knew I had to take it.

Three Unaddressed Problems in Securing Modern Software

• We no longer fully understand how our software actually gets built
• We underestimate how much open source software we’re consuming
• We’re completely unaware of how much trust we’re placing in open source maintainers

The Hidden Dangers of Dependencies

Modern applications are built on a foundation of open source dependencies, each with its own set of transitive dependencies. This intricate web introduces vulnerabilities that many developers never consider. The Log4Shell incident a couple of years ago, which allowed hackers to run wild on affected systems, serves as a stark reminder of how seemingly innocuous libraries can pose significant security risks.

The Overwhelming Scale of Open Source Usage

The sheer volume of open source packages used in today’s software development has grown exponentially. This growth has made it increasingly challenging to keep up with security patches and advisories. The recent inability of NIST to maintain the National Vulnerability Database (NVD) underscores the unsustainability of our current approach to managing these risks.

The Reality of Malicious Actors in Open Source

The recent XZ Utils incident proved that the threat of malicious actors infiltrating open source projects is no longer theoretical. It is a fact. A sophisticated and likely state-sponsored attack, the event demonstrates how vulnerabilities can be introduced into critical infrastructure through obscure yet pivotal projects. It also highlights the need for better tools and processes to identify and mitigate such threats.

Why Hunted Labs?

In my various roles as a consultant, account manager, and sales engineer, I’ve had countless conversations with developers and security professionals about their challenges and pain points. While many security vendors promise comprehensive solutions, most of them are just reheated versions of yesterday’s tools.

Hunted Labs isn’t building a panacea – nor does it make that promise – but from what I’ve seen (and what ultimately led me to choose Hunted Labs) is the opportunity it presents to make a meaningful difference in protection of the software supply chain. By leveraging new data sources and building new tools that provide deeper insights into our customers’ projects, we can better understand the open source ecosystem and the risks it presents.

I’m thrilled to be part of the Hunted Labs team, and I look forward to the impact we’ll make throughout the world of software security and development.