Should I Build It Should I Build It
17 Apr 2025
Open Source GitHub Developer Tools Security

A cybersecurity tool to scan your open source dependencies for malware

Confidence
Engagement
Net use signal
Net buy signal

Idea type: Swamp

The market has seen several mediocre solutions that nobody loves. Unless you can offer something fundamentally different, you’ll likely struggle to stand out or make money.

Should You Build It?

Don't build it.

Your are here

The idea of a cybersecurity tool to scan open-source dependencies for malware falls into a crowded space, categorized as a 'Swamp.' This means there are already numerous solutions available, but none have truly captured the market or garnered significant user love. With 10 similar products already identified, competition is high, increasing the challenge of standing out. Engagement in this category appears low, with an average of only 1 comment per product launch, meaning that it will be hard to capture user attention, especially at the early stage. Because of this, even though there is clearly demand for such product, it might be hard to create a profitable business.

Recommendations

  1. Given the 'Swamp' classification and existing competition, thoroughly investigate why current solutions haven't resonated with users. Analyze their shortcomings in terms of usability, features, and pricing. Understanding these failures is crucial before investing further effort.
  2. If you still want to pursue this idea, identify a specific niche or group of users with unique needs that are not being adequately addressed by existing tools. For example, target companies using a particular programming language or operating within a specific industry vertical with unique security requirements. This will help you differentiate your product and attract a focused user base.
  3. Instead of directly competing with established players, explore the possibility of building tools or plugins that enhance existing dependency scanning platforms. This could involve creating a specialized vulnerability database, developing advanced analysis algorithms, or offering improved integration with existing development workflows. This approach allows you to leverage existing infrastructure and user bases.
  4. Consider exploring adjacent problems in the cybersecurity space that might offer more promising opportunities. For instance, focus on securing the software supply chain, detecting vulnerabilities in container images, or providing real-time threat intelligence for open-source components. Expanding the scope might reveal unmet needs and less crowded markets.
  5. Based on the discussions around similar products, focus on stability and low resource usage, as users have reported issues with these aspects. Ensure thorough documentation and clear explanations of how your tool works, especially regarding anomaly detection.
  6. Given that mobile app developers are concerned about privacy policies, make sure yours is front and center and mobile-friendly. This seemingly small detail can have a big impact on your brand's image and trust.

Questions

  1. What specific, unmet needs do your target users have regarding open-source dependency scanning, and how will your solution address them in a fundamentally different way compared to existing tools?
  2. What unique data sources, analysis techniques, or integration methods will you employ to provide superior malware detection capabilities compared to your competitors?
  3. How will you ensure the stability and low resource footprint of your tool, especially when dealing with large codebases and complex dependency graphs, given the user concerns of similar products?

Your are here

The idea of a cybersecurity tool to scan open-source dependencies for malware falls into a crowded space, categorized as a 'Swamp.' This means there are already numerous solutions available, but none have truly captured the market or garnered significant user love. With 10 similar products already identified, competition is high, increasing the challenge of standing out. Engagement in this category appears low, with an average of only 1 comment per product launch, meaning that it will be hard to capture user attention, especially at the early stage. Because of this, even though there is clearly demand for such product, it might be hard to create a profitable business.

Recommendations

  1. Given the 'Swamp' classification and existing competition, thoroughly investigate why current solutions haven't resonated with users. Analyze their shortcomings in terms of usability, features, and pricing. Understanding these failures is crucial before investing further effort.
  2. If you still want to pursue this idea, identify a specific niche or group of users with unique needs that are not being adequately addressed by existing tools. For example, target companies using a particular programming language or operating within a specific industry vertical with unique security requirements. This will help you differentiate your product and attract a focused user base.
  3. Instead of directly competing with established players, explore the possibility of building tools or plugins that enhance existing dependency scanning platforms. This could involve creating a specialized vulnerability database, developing advanced analysis algorithms, or offering improved integration with existing development workflows. This approach allows you to leverage existing infrastructure and user bases.
  4. Consider exploring adjacent problems in the cybersecurity space that might offer more promising opportunities. For instance, focus on securing the software supply chain, detecting vulnerabilities in container images, or providing real-time threat intelligence for open-source components. Expanding the scope might reveal unmet needs and less crowded markets.
  5. Based on the discussions around similar products, focus on stability and low resource usage, as users have reported issues with these aspects. Ensure thorough documentation and clear explanations of how your tool works, especially regarding anomaly detection.
  6. Given that mobile app developers are concerned about privacy policies, make sure yours is front and center and mobile-friendly. This seemingly small detail can have a big impact on your brand's image and trust.

Questions

  1. What specific, unmet needs do your target users have regarding open-source dependency scanning, and how will your solution address them in a fundamentally different way compared to existing tools?
  2. What unique data sources, analysis techniques, or integration methods will you employ to provide superior malware detection capabilities compared to your competitors?
  3. How will you ensure the stability and low resource footprint of your tool, especially when dealing with large codebases and complex dependency graphs, given the user concerns of similar products?

  • Confidence: High
    • Number of similar products: 10
  • Engagement: Low
    • Average number of comments: 1
  • Net use signal: 9.0%
    • Positive use signal: 9.0%
    • Negative use signal: 0.0%
  • Net buy signal: 0.0%
    • Positive buy signal: 0.0%
    • Negative buy signal: 0.0%

This chart summarizes all the similar products we found for your idea in a single plot.

The x-axis represents the overall feedback each product received. This is calculated from the net use and buy signals that were expressed in the comments. The maximum is +1, which means all comments (across all similar products) were positive, expressed a willingness to use & buy said product. The minimum is -1 and it means the exact opposite.

The y-axis captures the strength of the signal, i.e. how many people commented and how does this rank against other products in this category. The maximum is +1, which means these products were the most liked, upvoted and talked about launches recently. The minimum is 0, meaning zero engagement or feedback was received.

The sizes of the product dots are determined by the relevance to your idea, where 10 is the maximum.

Your idea is the big blueish dot, which should lie somewhere in the polygon defined by these products. It can be off-center because we use custom weighting to summarize these metrics.

Similar products

Relevance

Vet now supports detecting malicious packages

31 Dec 2023 GitHub

If you are worried about the recent Lazarus group software supply chain attack, you should consider having guard rails that is more than conventional SCA. `vet` detects the package (version) published in the report as malware.Try out vet, its free and open source: https://github.com/safedep/vetMore details on the attack: https://www.nodejs-security.com/blog/north-korea-malware-on-...

Avatar
6
6
Relevance

I built a tool for policy driven vetting of open source packages

12 Nov 2023 Open Source GitHub Developer Tools Security

Linux Foundation survey says 70-90% of modern software constitute OSS code. Yet we are stuck with tools that scan only for vulnerabilities in 3rd party libraries and that too with high degree of false positives. I built `vet` for policy and data driven analysis of 3rd party packages that goes beyond only vulnerability and allows codifying organisational policies related to OSS consumption.https://github.com/safedep/vetLooking forward to feedback and suggestions from HN :)

Avatar
7
7
Relevance

Trusty – Dependency Software Supply Chain Security

07 Nov 2023 Developer Tools

Trusty - Search for an open source package to understand its trustworthiness based on activity, provenance, and more. Brought to you by the founders of projects such as Kubernetes and Sigstore.Hey, Luke here the CTO of stacklok. This is an early experimental preview of Trusty. We use statistical analysis to observe millions of packages and found that Malware typically follows certain patterns. We found this tool really useful to help understand the packages we our pulling into our software and wanted to share it with others.It's still early in and we have a lot more features that will be landing weekly.

Avatar
14
14
Relevance

Proactive Security Monitoring for GitHub Actions Workflows

26 Jun 2024 GitHub Developer Tools Tech Security

Hey HN, it's Farrukh and Umar. We're building listen.dev–a tool for proactive security monitoring in GitHub Actions to secure software releases from supply chain threats.Why we built this:As friends and collaborators for over a decade, we've been working on various startup ideas in dev tools and infrastructure. In 2017, while building an ML ops toolkit on Kubernetes, we got hacked. During a pilot with a fintech customer, our cluster became victim to a crypto-jacking attack.As it turned out, a dependency in our container base image contained malware (a Monero miner) which triggered inside the customer's environment. Needless to say, we lost the customer and racked up a massive cloud bill as a tiny startup. This first-hand experience introduced us to one of the biggest challenges in software security today.The Problem:Modern engineering teams rely heavily on 3rd parties—from open source packages, base images and 3rd-party tooling to build & deploy software quickly. But this creates security blind spots exploited in modern supply chain attacks. Some high-profile cases targeting developer environments include:(1) event-stream: a malicious transitive dependency injected a wallet-drainer payload into the build process for CoPay’s bitcoin wallet (2) SolarWinds: a compromised build tool injected malicious code into downstream releases (3) Codecov: a bash uploader script inside the testing tool stole secrets when run in CIWhile most teams today incorporate some form of security scanning, it typically focuses on known vulnerabilities. In contrast, we detect zero-day threats and harden your build & release processes against malicious activity. With a focus on developer experience.Enter listen.dev: a tool to analyze the behavior of your GitHub Actions workflows. How it works:- Native integration via a simple workflow step. You can instrument your build, test, and release processes in any language or stack. - Observes low-level behaviors using eBPF (network, file, process signals) over each run - Detects anomalies and malicious activity using threat intelligence and out-of-the-box detections for known bads (e.g., info stealers making unknown network connections, reverse shells, tampering of builds etc.) - Offers in-line PR feedback with context, plugging into existing toolchains via webhooksBehind listen.dev is a team of builders and OSS maintainers with years of experience in security observability and developer tools—having previously worked on eBPF runtime security projects like Falco and Tracee. We're seeking feedback from DevOps and security folks to help us improve.You can sign up for free at https://lstn.dev/hn, install our GitHub action in under a minute, and start monitoring your repos.We'd love to hear from you–any feedback and questions are welcome. To learn more see https://docs.listen.dev and a video of how it works: https://lstn.dev/demo-video

Users show interest in the product's capabilities for hardening build clusters with k8s and Falco, and its low resource usage. There's curiosity about performance and stability, especially compared to Argus, and how it monitors GitHub Actions. The product supports short-lived steps and task duration is not an issue, with more documentation promised. A user reported successful test runs with semantic versioning but faced issues with the latest hash. There's also a request for clarification on a pinning issue via email.

Users have reported stability issues and high resource consumption with the Falco sidecar architecture. There are also concerns that it's too early for benchmarks and that anomaly detection is unclear without prior data. Additionally, the documentation is considered lacking in detail, and there are problems with the latest release hash not working by default.

Avatar
32
7
14.3%
7
32
14.3%
Relevance

Vet – Open-Source Software Supply Chain Security Tool

30 Oct 2024 Open Source

vet is a tool for identifying risks in open source software supply chain. It goes beyond just vulnerabilities and provides visibility on OSS package risks due to it's license, popularity, security hygiene, and more. vet is designed with the goal of helping software development teams consume safe and trusted OSS components through automated vetting in CI/CD.

Avatar
3
3
Top