The White House and the Executive Office of the President have just issued a memorandum for the heads of U.S. government and federal executive departments and agencies for enhancing the security of the software supply chain through secure software development practices.
As cyberattacks become more sophisticated and frequent, developers and security teams often become overextended in their efforts to protect their software and applications. In an article for Security, Daniel Elkabes, Mend’s vulnerability research team leader, highlights what cybersecurity leaders should invest in now to help set up their teams for the future.
#policies
This video in the series describeshow the Mend Unified agent can be used to check and fail CI/CD pipelines when open source vulnerabilities and licensing risks are detected.
Jeff Martin, vice president of product for Mend, was recently interviewed by Michael Vizard from the Techstrong Group. In a fascinating conversation on application security debt, the two shed a spotlight on the insufficiencies of the current security stance of many companies and the budgetary pressures that might be influencing them.
It’s no secret that most application security teams are overextended and short-staffed. In fact, a recent ESG study showed that many cybersecurity professionals experience increased stress and job burnout.
Malware has come a long way since it first made the scene in the late 1990s, with news of viruses infecting random personal computers worldwide. These days, of course, attackers have moved beyond these humble roots. Now they deploy a variety of innovative techniques to extract large amounts of money from businesses around the world. A similar development is taking place with malware’s upstart cousin – the emergence of malicious packages being uploaded to package registries.
The proliferation of third-party software components such as open source software(OSS) has triggered a growing need to keep track of it all. Why? Because when security vulnerabilities inevitably crop up in open source components, it’s pretty important to know whether your company uses that piece of code – or whether it appears in the myriad software dependencies inherent in open source.
As security researchers, we see new malicious methods being introduced on a daily basis from the ever-industrious global cadre of malicious actors. But not all of the things we find constitute breaking news. Sometimes, we run across something that doesn’t necessarily pose a threat, but still piques our interest. Instead of being the security equivalent of a four-course meal, it’s more of an amuse bouche.
A possible method of attacking your code base is a bit of social engineering that involves using open source to report potential bugs in software that provides reproduction applications. These applications can include malicious code that can compromise your software and applications. In the blog post, we’ll briefly look at why and how they operate, and how to mitigate this practice.
