Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

July 2023

SBOMs: A Roadmap for a Secure Software Journey

Software supply chain threats and increasing regulatory pressures make supply chain security a top priority for software organizations. While building secure applications is a must for any organization, the path to creating secure software is anything but clear. Software bills of materials (SBOMs) have emerged as an essential tool and a roadmap for organizations on their secure software journey.

The New Era of AI-Powered Application Security. Part Three: How Can Application Security Cope With The Challenges Posed by AI?

This is the third part of a blog series on AI-powered application security. Following the first two parts that presented concerns associated with AI technology, this part covers suggested approaches to cope with AI concerns and challenges. In my previous blog posts, I presented major implications of AI use on application security, and examined why a new approach to application security may be required to cope with these challenges.

Mend.io Product Overview Demo

Mend.io solves the toughest problems in application security for the largest and most demanding organizations in the world, and we do it with automation. Mend.io was the first application security vendor to provide automated remediation workflows for both open source and custom code. We have centered our product strategy on providing industry-leading prioritization of application security threats for both OSS and custom code, integrating automated dependency health to reduce the attack surface and ensuring fast and limitless scale to onboard developers and applications.

Strange Bedfellows: Software, Security and the Law

The ongoing rise in cyberattacks across the software supply chain and a shifting regulatory landscape are forging an unlikely alliance between CISOs, software leaders and legal experts. Privacy, the shifting and diverse regulatory landscape, liability and new AI/ML use cases all present unique challenges and opportunities for risk management, but to best navigate these challenges, legal teams must be involved, too. Why? Because today, software vulnerabilities can represent not just a business risk but a legal risk.

Two Birds, One Stone: Shrinking Security Debt and Attack Surfaces

Cybersecurity teams and developers continually struggle to reconcile what can seem like two competing priorities. Delivering new capabilities and addressing existing security technical debt. But what if they can do both at the same time? Forward-leaning AppSec programs are finding smart ways to reduce security debt by instituting a strategic approach to managing security vulnerabilities. This approach starts by reducing the attack surface early on and throughout development.

Malicious Package Trend Analysis

It might seem obvious that regularly upgrading software and dependencies means your software is inherently more secure, but in practice, this is hard to achieve. Choice Hotels struggled to manually maintain their codebase and remediate all the transitive vulnerabilities lurking in the code. Today’s compositional applications created a complex archeological exploration challenge for developers trying to resolve security issues across a codebase. It was time-consuming, tedious, and imperfect.

Why is Software Vulnerability Patching Crucial for Your Software and Application Security?

Software vulnerability patching plays a critical role in safeguarding your code base, software, applications, computer systems, and networks against potential threats, and ensuring they’re compliant, and optimized for efficiency. Organizations’ codebases have become increasingly complex, involving sophisticated relationships between components and their dependencies.

The New Era of AI-Powered Application Security. Part Two: AI Security Vulnerability and Risk

AI-related security risk manifests itself in more than one way. It can, for example, result from the usage of an AI-powered security solution that is based on an AI model that is either lacking in some way, or was deliberately compromised by a malicious actor. It can also result from usage of AI technology by a malicious actor to facilitate creation and exploitation of vulnerabilities.

Software Supply Chain Compliance: Ensuring Security and Trust in Your Software and Applications

Software and applications make the world go round. This naturally makes them a top attack target for threat actors, and highlights the importance of robust software supply chain compliance. But how do companies build and implement a compliance strategy that solves the challenges of modern application security? Let’s take a look.

The New Era of AI-Powered Application Security. Part One: AI-Powered Application Security: Evolution or Revolution?

Imagine the following scenario. A developer is alerted by an AI-powered application security testing solution about a severe security vulnerability in the most recent code version. Without concern, the developer opens a special application view that highlights the vulnerable code section alongside a display of an AI-based code fix recommendation, with a clear explanation of the corresponding code changes.

How Does SLSA Help Strengthen Software Supply Chain Security?

A relatively new way of strengthening your software supply chain security is to apply Supply Chain Levels for Software Artifacts (SLSA) in tandem with other tools such as software bills of materials (SBOMs), software composition analysis (SCA) for open source, and static application security testing (SAST) for proprietary code. Let’s take a look at what SLSA is and how its different levels work.

Why You Should Avoid Copy and Paste Code

So many things seem like a good idea at the time. The Red Sox selling Babe Ruth to the Yankees. Decca Records rejecting The Beatles. “New” Coca-Cola. Blockbuster passing on buying Netflix. The formation of Nickelback. Just popping into Ikea for a “quick” look around. Of course, we know differently. And the same can be said about copying and pasting code.