Attacks that leverage vulnerabilities in open source software are on the rise. How security teams respond to these incidents is key to what impact they will ultimately have. Oftentimes the attacks stemming from open source vulnerabilities are unpredictable, making them a big challenge for teams.

One of the biggest threats to software supply chain security is open source software applications and components. Many enterprises and small businesses have come to rely on open source solutions, and they are an important part of IT strategies today. But vulnerabilities in open source software present a risk because they can provide cyber criminals with a way to carry out attacks.

We are excited to announce the inaugural edition of the Mend.io Open-Source Reliability Leaderboard! Powered by data from Renovate, the wildly popular open-source dependency management tool, the Leaderboard presents the top packages in terms of reliability across three of the most widely used languages.

Malicious npm packages and their dangers have been a frequent topic of discussion — whether it’s hundreds of command-and-control Cobalt Strike malware packages, typosquatting, or general malware published to the npm registry (including PyPI and others). To help developers and maintainers defend against these security risks, Snyk published a guide to npm security best practices.

According to Mend.io research, the Apache 2.0 license is the most popular license of its kind, as 30% of open source licenses currently in use is Apache. Owing to its frequent use, it’s important to understand how the license works, its benefits, limitations, implications, and requirements. To help you, here are ten frequently asked questions about it.

The 2023 OSSRA report indicates that organizations are failing to patch high-risk vulnerabilities; our vulnerability deep-dive shows how to evaluate your own risk. According to the 2023 “Open Source Security and Risk Analysis” (OSSRA) report, 96% of commercial code contains open source material. In fact, 76% of the code that Black Duck® Audit Services scanned in 2022 was open source.

Open source code is a vital aspect of modern development. It allows developers to increase their application’s functionality, while reducing overall development time. However, the system isn’t perfect. The nature of third party software and it’s dependencies often creates opportunity for security vulnerabilities to lurk in libraries and downloads.

Modern applications are hugely dependent on open-source software. 80 percent of most organizations’ apps and code base is now open source, in some cases more. While this is great for swift development and innovation, it increases the possibility of vulnerabilities arising that bad actors can exploit, and it expands the potential attack surface.

GitHub's Push Protection is now free for all public repositories, a significant milestone for open-source security! Find out the key points you need to keep in mind before using it to safeguard your code repositories.