As we kick off the new year, we wanted to share a recap of what we've achieved so far at listen.dev, how we're thinking of our future roadmap and whats next:
Merging upstream intelligence with downstream context
Our focus so far has been on building the upstream view. This involved developing in-house machinery to collect a range of granular signals from upstream open source. This upstream context is powered through comprehensive collection (including static heuristics, metadata, and dynamic signals) along with analysis infra which indexes, monitors and sandboxes package installations for every new module published on public npm and pypi registries today. Over the past year, we've battle-tested and optimized it for performance and cost.
The next phase of our roadmap involves building the downstream view. This will focus on agents that collect context from your downstream environments, like CI pipelines, where builds and QA take place. Currently, we capture dependency lists from lockfiles through GitHub, and will be extending this coverage through a CI-based sensor in the coming months.
Downstream Focus as a Key Differentiator
Unlike traditional SCA tools, which primarily concentrate on upstream package analysis covering open source risk. However, this static, top-level view isn't sufficient to guard against modern attacks.
Our approach aims to provide a comprehensive AppSec solution for Dev/Sec/Ops offering:
  • Holistic Visibility
    : real-time coverage of your entire application environment and threat surface, including its complete software supply chain, during install and build time.
  • Actionable Alerts
    : intelligent insights like drift detection and anomalies from behavioural baselines help you focus remediation efforts
  • Reduced False Positives
    : by correlating upstream and downstream context and tailoring policy definitions to your risk profile, we ensure alerts are relevant and critical to your teams.
This not only provides the first line of defense for supply chain attacks—preventing them before impact—but also helps teams understand how they happen through detailed forensics to develop a proactive security posture.
Case study: Uncovering the Ledger Attack through Dynamic Behavioural Analysis
Our research team was down in the trenches with the recent Ledger attack. We published a post on the topic detailing our investigation and how we were able to detect the attack using listen.dev discussed in our blog post).