Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

September 2023

Vulnerability Assessment: A Guide

The complexity of technology is ever-increasing and the number of breaches (and the cost of dealing with them) is growing right along with it. Governments are cracking down and turning cybersecurity from nice to have to absolutely mandatory. In response, organizations across industries are taking a more serious look at their security posture and, with that, the need to perform thorough vulnerability assessments.

Mend Renovate Enterprise Edition Demo

Reduce Technical Debt with Scalable Automated Dependency Management Regularly maintaining and updating dependencies is crucial to ensuring application security, but in today’s high-volume development world, companies often struggle to balance security risk with development deadlines. Renovate Enterprise Edition helps teams cut technical debt while still meeting deadlines using a solution built for the needs of enterprise development teams. Now, companies can provision as many resources as they like to cover the size and scale of their entire organization without suffering performance problems due to resource limitations.

Mend.io's Rhys Arkins, VP Product Discussing Mend Renovate Enterprise Edition

Reduce Technical Debt with Scalable Automated Dependency Management Regularly maintaining and updating dependencies is crucial to ensuring application security, but in today’s high-volume development world, companies often struggle to balance security risk with development deadlines. Renovate Enterprise Edition helps teams cut technical debt while still meeting deadlines using a solution built for the needs of enterprise development teams. Now, companies can provision as many resources as they like to cover the size and scale of their entire organization without suffering performance problems due to resource limitations.

Mend Renovate Product Family Demo

Mend Renovate scans your software, discovers dependencies, automatically checks to see if an updated version exists, and submits automated pull requests. Mend.io provides Renovate as an open source solution as part of our support for the developer community. For those customers that need a fully scalable, fully supported, fully automated solution, we offer Renovate Enterprise Edition.

Holistic AppSec and Software Supply Chain Security

AppSec and software supply chain security require more than a loose collection of tools and a vulnerability remediation process. A holistic approach covers risk assessment, a secure software development life cycle, software composition analysis (SCA), SBOMs, static and dynamic application security testing (SAST/DAST), workflow automation, automated remediation, runtime protections, compliance reporting and more. Successful implementation of this holistic approach enables companies to shrink their overall attack surface and reduce technical and security debt.

What Role Should Dependency Management Play as the Regulation of the Software Supply Chain Escalates?

Two big trends are now converging that will change the way we view and implement software supply chain security and make dependency management a vital part of assuring security. Let’s look at why and how this is happening, and what it means for dependency management.

Container Images - Code Source

Mend for GitHub.com Code Source provides a streamlined and highly effective approach to tracing vulnerabilities back to their source code in repositories. Mend’s proprietary labeling achieves this by adding the source repository URL and the Dockerfile path to your Dockerfile using OCI annotations, saving you time in researching risks detected on your built container images.

Adversaries Are Using Automation. Software Vendors Must Catch Up

We won’t start yet another blog yammering about how bad the consequences of an attack are. There’s a lot on the line, including both financial and reputational losses. You get it. We get it. Cybercriminals definitely get it. Another thing cybercriminals get is automation. Attacks are up and their rise is expected to continue, in no small part due to the fact that attackers are using automation to scale their criminal enterprises.

How Supply Chain Attacks Work - And What You Can Do to Stop Them

Supply chain attacks made headlines in 2022, sending shockwaves through the industry as security and business leaders scrambled to reexamine the security of their own supply chains. In this webinar, experts talk through the stages of a supply chain attack and the different types of attacks to look for. You will also learn what tools and strategies you can start using immediately to assess your own supply chain security and put defenses in place to keep your supply chain protected.

The CISO's Guide to AppSec Innovation

Threat actors operate by an ironclad rule: If it’s important to businesses, it’s important to them. And they certainly understand the crucial business role of applications. Applications are now the number one attack vector, while software supply chain attacks increased 650 percent in a year. Clearly, if you don’t already have a modern application security program that can support today’s digital world, you need to build one.

Securing the Software Supply Chain: Key Findings From the Mend Open Source Risk Report

Open source vulnerabilities are in permanent growth mode. A significant quarterly increase in the number of malicious packages published in registries such as npm and rubygems have shown the increasing need to protect against this trending attack. At the same time, companies struggle to close the remediation gap on known vulnerable open source code. It’s all in The Mend Open Source Risk Report, which details these and other significant risks posed by the ongoing rise in open source vulnerabilities and software supply chain attacks.

Operationalizing DevSecOps Roundtable

DevSecOps best practices are increasingly being adopted to better secure software supply chains. The challenge, though, is finding ways to operationalize these processes so they’re seamless and development and deployment don’t slow down. Join Shiri Arad Ivtsan, Senior Director of Product Management – Mend.io, in this editorial roundtable as these experts explore the challenges DevOps teams and developers face in operationalizing security into their workflows and processes, what’s taking so long to do so and how AI and automation can help.

Malicious Packages Special Report - Attacks Move Beyond Vulnerabilities

Threat actors are after our sensitive data. In 2023, the number of malicious packages published to Node Package Manager (npm) and RubyGems ballooned 315% compared to 2021, and 85% of malicious packages discovered in existing applications were capable of exfiltration – meaning they could cause an unauthorized transmission of information. Software packages containing malicious code are a growing threat, and they may have unknowingly infiltrated your applications.

AWS and Mend.io Webinar: Five Principles of Modern Application Security Programs

Organizations of all kinds are experiencing increasing volumes, frequency, and severity of cyberattacks. 71% of IT and security leaders say that their portfolio of applications has become more vulnerable in the last year alone, and cybercrime is expected to cost companies worldwide around $10.5 trillion annually by 2025. To fight this trend, organizations need a resilient AppSec strategy that can reinforce trust, reliability, and security when faced with adverse conditions.

Communicating the Value of Your Company With SBOMs

A Software Bill of Materials (SBOM) is a detailed, machine-readable, nested list of all of the third-party components and their dependencies that compose a modern software product. SBOMs have particular importance in the health, finance, critical infrastructure, and military sectors, and in mergers and acquisitions, but all industries and applications can benefit from them. SBOMs have been around for over a decade but they’ve gained serious traction in the wake of the SolarWinds breach.

Software Supply Chain Security: The Basics and Four Critical Best Practices

Modern enterprise software is typically composed of some custom code and an increasing amount of third-party components, both closed and open source. These third-party components themselves very often get some of their functionality from other third-party components. The totality of all of the vendors and repositories from which these components (and their dependencies) come make up a large part of the software supply chain.

How Software Supply Chain Security Regulation Will Develop, and What Will It Look Like?

The escalation of international legislative interest in regulating the software supply chain has led to an increasing likelihood that tools such as software bills of materials (SBOMs) and AppSec solutions will become essential for companies doing business in the public sector or in highly regulated industries. However, the process of building and enforcing effective regulations presents challenges as well.

Why Legal Regulation Shifts Responsibility for Software Supply Chain Security to Vendors

In the face of increasingly impactful malicious attacks, governments of leading economies have turned their attention to the software supply chain security. Regulations like the EU’s Digital Operational Resilience Act (DORA) for financial institutions and the Cyber Resilience Act (CRA) for software and hardware providers Australia’s 2023-2030 cybersecurity strategy, and the U.S.

Are You Protected from the 12 Most Exploited Vulnerabilities?

One of the most vital things to get right in application security is dependency management, and to achieve this, your suite of AppSec tools must be up to date. This means that your vulnerability scanning, detection, and remediation capabilities must be able to identify and address the newest and most exploited vulnerabilities. Do you know what these vulnerabilities are? Have you got them covered? With the help of some of the world’s leading cybersecurity authorities, you can be.