If your organization develops software and applications to deliver products and solutions, then more than likely you’re using third-party open source components to help create them. According to most estimates, open source components now make up over 80 percent of software products.

Mend Supply Chain Defender reported and blocked dozens of packages from the same author. These packages targeted developers of many companies and frameworks like slack, Cloudflare, Datadog, Metamask, react, Shopify, OpenSea, Angular and more. A dependency confusion attack takes advantage of a software developer’s tendency to pull malicious code from public repositories rather than internal ones.

Developers love GitHub. It’s the biggest and most powerful collaboration platform that programmers, developers, and companies use to develop and maintain their software. It’s the biggest source code host with more than 200 million repositories. And it keeps growing. In 2021, more than 73 million developers used GitHub. It gained over 16 million new users in 2021 alone, and GitHub estimates that user numbers will increase to 100 million developers in the next five years.

Two packages of well-known origin were found exfiltrating Windows SAM and SYSTEM files, apparently as part of internal security research rather than a targeted dependency confusion attack. On June 6th, 2022, the Mend research team used Supply Chain Defender to detect and flag two malicious packages from the same author that contained identical code. We alerted npm and the packages were removed within three hours of publication.

After two years of virtual events, the Mend team was beyond excited to gather in San Francisco’s Moscone Center and connect with the tech community face to face. This year’s theme was ‘transformation,’ which couldn’t be more appropriate for us as we unveiled our new company name and integrated application security platform with automated remediation for SCA and SAST.

Cloud computing security architecture describes how an organization secures data, applications, and workloads hosted across cloud environments. It specifies all technologies — both software and hardware — allocated for protecting cloud assets, and defines the security responsibilities shared between the cloud services provider and the organization. Cloud security architecture is a component of the organization’s overall security approach.

When it comes to understanding the difference between open source software vulnerabilities and malicious threats, it’s helpful to think in terms of passive vs. active threats. Vulnerabilities can be attacked and exploited, but in a vacuum don’t pose a threat. Malicious threats are different —– they involve a threat actor actively planning to attack you.

For consecutive years, applications have remained the top attack vector for black hats, with supply chain attacks not far behind. At the same time, market research indicates that enterprise security managers and software developers continue to complain that their application security tools are cumbersome. When asked, many developers admit that they don’t run security tests as often as they should, and they push code to production even when they know it has security flaws.

How important is a company name, really? Turns out that it is pretty important, especially if the name you currently have does not represent what the company has become, or where it is going. Our name is what defines the vision, spirit, and ethos of who we are and what we are trying to accomplish—the strategy, technology, and culture all rolled into one. It needs to be crisp, memorable, and legally acquirable. Guess what? It is harder than it looks…

In 2011, my co-founders Azi Cohen, Ron Rymon, and I founded WhiteSource with a mission to automate all tasks surrounding the use and security of open source software. We were pioneering the software composition analysis (SCA) market before it had a name. Over the years, we’ve evolved to offer more value to our customers beyond our founding purpose.