Our research team here at Mend has identified a new kind of malicious code that attackers can use to exploit genuine concerns about security and licenses. The code in the case below is used to prevent people from using unlicensed software, specifically by removing the code if it detects that the software is not licensed during the deployment stage. The code is tricky to understand and uses a web request to check if the software is being used legally.

At this point, it’s not too much to say that open source software runs the world. The GitHub Octoverse 2022 report shows that 90 percent of companies use open source, which appears in the vast majority of applications today.

The ongoing rise in open source vulnerabilities and software supply chain attacks poses a growing threat to businesses, which heavily rely on applications for success. Between 70 and 90 percent of organizations’ code base is open source, while vulnerabilities such as Log4j have significantly exposed organizations to cyberattacks.

The ongoing rise in open source vulnerabilities and software supply chain attacks poses a significant risk, and it will only increase. According to the Mend Open Source Risk Report, modern security best practices such as software composition analysis (SCA) are vital for stemming the rising tide of open source vulnerabilities in applications and software.

Attacks targeting the software supply chain are on the rise. Indeed, data from the Mend Open Source Risk Report shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which jumped 79 percent from Q2. The European Cybersecurity Agency (ENISA) predicts that supply chain attacks will increase fourfold by 2022.

Application security is an essential part of the software development lifecycle, and getting it right should be a top priority in today’s ever-evolving and expanding digital ecosystem. Application security is the practice of protecting your applications from malicious attacks by detecting and fixing security weaknesses in your applications’ code.

Although it’s the holiday season, the festive spirit doesn’t extend to cyber attackers, who consider this a great opportunity to cause havoc. But the Mend research team doesn’t rest, and remains alert for threats and vulnerabilities. Our vigilant team has detected an attack on npm packages that utilized typosquatting to compromise nearly 300 NPM packages. Let’s take a look at the nature of the attack and what we did to protect our systems and our users.

Software applications are the weakest link when it comes to the security of the enterprise stack. In The State of Application Security, 2022, Forrester reports that the majority of external attacks occur either by exploiting a software vulnerability (35 percent) or through a web application (32 percent). Source: Forrester: The State of Application Security 2022

When it comes to open source vulnerabilities, we seem to be in permanent growth mode. Indeed, data from Mend’s Open Source Risk Report showed 33 percent growth in the number of open source software vulnerabilities that Mend added to its vulnerability database in the first nine months of 2022 compared with the same time period in 2021. However, while some vulnerabilities pose a severe business risk — hello, log4j — others can be safely ignored.

It stands to reason that if you’ve implemented a Static Application Security Testing (SAST) tool, you’ll want to reap the full value of the investment. But to accurately assess ROI, you need metrics that can evaluate factors such as overall results, KPI compliance, and timeframe. Only then can you estimate whether you’re making a real improvement to the security of your code base, and from that, assess the monetary value of these results.