Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Mend

Breaking: What is Going on with the NVD? Does it Affect Me?

Headed by NIST, an American government institution, the National Vulnerability Database (NVD) contains vulnerability data that’s been key to protecting organizations both within and without the US borders for more than 20 years. Many security policies from both commercial and government organizations require that vendors take care of vulnerabilities of a particular severity as given by the NVD within a certain number of days.

Mend.io Launches Mend AI

Securing AI is a top cybersecurity priority and concern for governments and businesses alike. Developers have easy access to pre-trained AI models through platforms like Hugging Face and to AI-generated functions and programs through large language models (LLMs) like GitHub Co-Pilot. This access has spurred developers to create innovative software at an enormously fast pace.

What is the difference between an SCA scan and a container scan?

Are Software composition analysis (SCA) scans and container scans the same thing? The short answer is yes… and no. A comprehensive container image scan applies SCA specifically to containers in combination with other analyses particular to containers, such as how they’re configured to deploy and the presence of secrets. Read on to learn the key differences.

How is a Container Scan Done?

Containers offer many benefits, including lightweight portability from one environment to another, but they add a layer of complexity to application security that can introduce additional risks. There are many ways a container can become vulnerable to attack: through its source code, how the container is built, how the container is configured, how it secures secrets, and how it interacts with the host and other containers. Each of these avenues has its own security solutions and best practices.

Secrets Management vs Secrets Detection: Here's What You Need to Know

As the name might imply, it’s important to keep secrets secret. Access to even the smallest of secrets can open a window for attackers who can then escalate their access to other parts of the system, allowing them to find more important secrets along the way. Poor practices can leave many secrets lying around unprotected and just one seemingly unimportant secret can lead to a broad security breach.

CVSS 4.0 is Here: How to Make the Most of It

The CVSS (Common Vulnerability Scoring System) is a widely used standard that produces a score between 0 and 10 to indicate the level of severity of a vulnerability. The most popular spot to find CVSS scores is on the National Vulnerability Database (NVD) website, where you’ll see CVSS scores for all CVE (Common Vulnerabilities and Exposures) IDs.

Quality > Quantity: How to Get the Most Out of SAST

Static Application Security Testing (SAST) has a bit of a bad reputation. SAST tools can produce an overwhelming number of alerts and security teams, having often come from networking backgrounds, don’t always fully understand the alerts that they are passing on to developers for fixes. This can cause the relationships between the teams to sour, as developers often perceive this work as pointless and holding them back from working on their primary responsibilities like new features.

What Existing Security Threats Do AI and LLMs Amplify? What Can We Do About Them?

In my previous blog post, we saw how the growth of generative AI and Large Language Models has created a new set of challenges and threats to cybersecurity. However, it’s not just new issues that we need to be concerned about. The scope and capabilities of this technology and the volume of the components that it handles can exacerbate existing cybersecurity challenges. That’s because LLMs are deployed globally, and their impact is widespread.