To identify malicious packages and protect yourself against them, you need to know what to look for. Here’s a simple guide. In January 2022, users of the popular open-source libraries “faker” and “colors” suddenly found their applications started to malfunction and display nonsensical data because they had been infected by a malicious package.

The GNU General Public License (GPL) is one of the most widely used open source software licenses. It was created by the Free Software Foundation (FSF) to protect the GNU’s software from being made proprietary. The GPL emphasizes the principles of software freedom and promotes the sharing of knowledge and collaboration. It is a copyleft license that requires any modified versions or derivative works to be licensed under the GPL.

Security is an increasingly critical aspect of application development. As the volume of applications rapidly expands, so does the volume of source code, components, and dependencies used to create them. With them comes a growth in the potential attack surface and an escalation in the variety of threats to your application security.

As the software bill of materials (SBOM) becomes ubiquitous for compliance and security purposes, what has previously been a nice-to-have option is fast becoming indispensable. If you want to do business with significant partners, such as public and federal organizations, and if you want to grow your business by floating your company or engaging in M&A activity, then you’re going to need SBOMs. This demand is driven by two key trends, one technical and the other legislative.

One often-overlooked risk in the bustling ecosystem of open-source software are vulnerabilities introduced through software dependencies. We mention this because today, a malicious actor took over a RubyGems package name with more than two million downloads. Mend.io technology detected the package before it could be used for an attack, but the case of ‘gemnasium-gitlab-service‘ serves as an important reminder of the risk of neglecting dependency management.

We hear a lot about the urgency of transition from DevOps to DevSecOps, and with good reason. The ongoing rise in cyberattacks across the software supply chain, coupled with a shifting regulatory landscape, highlights the growing urgency of improving application security. But it’s one thing to recognize the importance of integrating security into the software development process, and another thing to actually succeed at doing so.

We’re proud to announce that Mend.io has been recognized as a Visionary in the 2023 Gartner Magic Quadrant for Application Security Testing (authors Mark Horvath, Dale Gardner, Manjunath Bhat, Angela Zhao, Ravisha Chugh); (May 17, 2023).

Companies are increasingly concerned about the security of applications built on open source components, especially when they’re involved in mergers and acquisitions. Just like copyright for works of art, each piece of open source software has a license that states legally binding conditions for its use.

Managing dependencies is not for the faint of heart. For a single project, you may be able to keep up with dependencies on your own. For software codebases with hundreds of modules, however, even the most seasoned developer will quickly descend into dependency hell. Don’t worry: dependency hell has happened to the best of us! There are some things you can do to keep yourself sane and improve application security.