|
By Tom Abai
Polyfill.js is a popular open-source project that provides modern functionality on older browsers that do not support it natively; users embed it using the cdn.polyfill.io domain. On February 24, 2024, a Chinese company named Funnull acquired both the domain and the Github account. Following that acquisition, the developer, Andrew Betts, tweeted on his X account a warning for all of his service’s users urging them to remove any reference to polyfill from their code.
|
By AJ Starita
It’s not uncommon to hear people refer to updating dependencies as “dependency management”. They’re not wrong; keeping dependencies up to date is a big part of dependency management, but it’s not everything. Read on to learn more about the differences between the two.
|
By AJ Starita
AI promises many advantages when it comes to application development. But it’s also giving threat actors plenty of advantages, too. It’s always important to remember that AI models can produce a lot of garbage that is really convincing—and so can attackers. “Dark” AI models can be used to purposely write malicious code, but in this blog, we’ll discuss three other distinct ways using AI models can lead to attacks.
|
By AJ Starita
Only about 35 percent of the models on Hugging Face bear any license at all. Of those that do, roughly 60 percent fall under traditional open source licenses. But while the majority of licensed AI models may be open source, some very large projects–including Midjourney, BLOOM, and LLaMa—fall under that remaining 40 percent category. So let’s take a look at some of the top AI model licenses on Hugging Face, including the most popular open source and not-so-open source licenses.
|
By Jeff Martin
NIST has announced that it has filled the funding gap for the National Vulnerability Database (NVD) and hired a contractor to return it to its previous underwhelming state. What does that mean for us? Basically, The NVD is off life support, but we wouldn’t say it’s healthy. It’s more like “undead”.
|
By AJ Starita
The software supply chain is increasingly complex, giving threat actors more opportunities to find ways into your system, either via custom code or third-party code. In this blog we’ll briefly go over five supply chain threats and where to find them. For a deeper look to finding these threats, with more specifics and tool suggestions, check out our threat hunting guide.
|
By AJ Starita
Responsible AI Licenses (RAIL) are a class of licenses created with the intention of preventing harmful or unethical uses of artificial intelligence while also allowing for the free and open sharing of models between those who intend to use and improve them for authorized purposes. Anyone can make their own version of RAIL for their model, and in doing so can create more or less restrictions than those detailed in the template licenses.
|
By AJ Starita
The past week has been a wild ride for those following all the hot goss’ on the National Vulnerability Database. Previously on The Code and the Vulnerable, we reported on the NVD slowdown that began in mid February. Since then, the NVD has been adding new CVEs, but has only enriched (with important information like CVSS and CPE) a very small fraction of them. If you need a breakdown of all these acronyms, definitely check out that first blog on this topic.
|
By Rhys Arkins
Dependency management is a broad topic encompassing, among other things, keeping an inventory of dependencies, removing unused dependencies, and fixing conflicts between dependencies. In this article, we will focus on one large part of software dependency management that devs can do easily and with great results: updating dependencies.
Today at the RSA Conference 2024, Mend.io and Sysdig unveiled a joint solution to helping developers, DevOps, and security teams accelerate secure software delivery from development to deployment. The new integration incorporates runtime context from Sysdig with Mend Container to provide users with superior, end-to-end, and risk-based vulnerability prioritization and remediation across development and production environments.
|
By Mend
Single sign-on and role-based access doesn't need to be difficult. Find out in this sub 9-minute video how to integrate the Mend Platform into any Identity Provider supporting SAML.
|
By Mend
In this short demonstration, find out how Mend Renovate can discover deprecated dependencies in your applications running NPM directly in the repository. In addition, we will show alternative packages where available to keep your applications secure.
|
By Mend
Maximize your Bitbucket Cloud security with a one powerful integration. Get automated dependency updates with Mend Renovate, open-source security with Mend SCA, and code flaw detection with Mend SAST to streamline your workflow and code protection. Mend.io.
|
By Mend
This video describes open source license notices, why they are required and how to set the notice within the Mend SCA user interface.
|
By Mend
How do you build a successful AppSec program? Today, we’re focusing on an area where we have great evidence for a specific best practice – Repository Integration. Choosing where to deploy SCA scans can have a major impact on the success of your AppSec program. You can boost the value of Mend SCA by scanning in your repositories, and we want to show you how!
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project.
|
By Mend
Reduce Technical Debt with Scalable Automated Dependency Management Regularly maintaining and updating dependencies is crucial to ensuring application security, but in today’s high-volume development world, companies often struggle to balance security risk with development deadlines. Renovate Enterprise Edition helps teams cut technical debt while still meeting deadlines using a solution built for the needs of enterprise development teams. Now, companies can provision as many resources as they like to cover the size and scale of their entire organization without suffering performance problems due to resource limitations.
|
By Mend
Reduce Technical Debt with Scalable Automated Dependency Management Regularly maintaining and updating dependencies is crucial to ensuring application security, but in today’s high-volume development world, companies often struggle to balance security risk with development deadlines. Renovate Enterprise Edition helps teams cut technical debt while still meeting deadlines using a solution built for the needs of enterprise development teams. Now, companies can provision as many resources as they like to cover the size and scale of their entire organization without suffering performance problems due to resource limitations.
|
By Mend
Behind every developer is a beloved programming language. In heated debates over which language is the best, the security card will come into play in support of one language or discredit another. We decided to address this debate and put it to the test by researching WhiteSource's comprehensive database. We focused on open source security vulnerabilities in C, Java, JavaScript, Python, Ruby, PHP, and C++, to find out which programming languages are most secure, which vulnerability types (CWEs) are most common in each language, and why.
|
By Mend
We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
|
By Mend
Developers across the industry are stepping up to take more responsibility for their code's vulnerability management. In this report we discuss trends in how security is shifting left to the earliest stages of development, putting the power developers in the front seat. We explore the growth of automated tools aimed at helping developers do more with fewer resources and look for answers on what is needed to help close the gap from detection to remediation.
|
By Mend
Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities' prioritization. This results in a lot of valuable development time wated on assessing vulnerabilities, while the critical security issues remain unattended.
- July 2024 (2)
- June 2024 (5)
- May 2024 (6)
- April 2024 (5)
- March 2024 (7)
- February 2024 (6)
- January 2024 (4)
- December 2023 (5)
- November 2023 (7)
- October 2023 (9)
- September 2023 (19)
- August 2023 (14)
- July 2023 (13)
- June 2023 (15)
- May 2023 (11)
- April 2023 (10)
- March 2023 (12)
- February 2023 (10)
- January 2023 (14)
- December 2022 (14)
- November 2022 (11)
- October 2022 (16)
- September 2022 (7)
- August 2022 (4)
- July 2022 (4)
- June 2022 (11)
- May 2022 (13)
- April 2022 (9)
- March 2022 (7)
- February 2022 (6)
- January 2022 (9)
- December 2021 (15)
- November 2021 (5)
- October 2021 (5)
- September 2021 (5)
- August 2021 (4)
- July 2021 (4)
- June 2021 (4)
- May 2021 (4)
- April 2021 (7)
- March 2021 (4)
- February 2021 (4)
- January 2021 (3)
- December 2020 (2)
- November 2020 (3)
- October 2020 (5)
- September 2020 (5)
- August 2020 (4)
- July 2020 (7)
- June 2020 (7)
- May 2020 (6)
- April 2020 (16)
- March 2020 (1)
- October 2018 (1)
No component overlooked. Mend identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle. The result? Faster, smoother development without compromising on security.
Not all vulnerabilities are created equal. Mend prioritizes vulnerabilities based on whether your code utilizes them or not, so you know exactly what needs your attention the most. This reduces security alerts by up to 85%, allowing you to remediate more critical issues faster.
Complete Platform:
- Mend Core: We help you keep things in order. Mend is built to streamline your open source governance. With a full layer of alerting, reporting and policy management, you are effortlessly secure and always in control.
- Mend for Developers: Mend for Developers is uniquely designed to simplify developers’ work, while keeping the code secure. Its suite of tools helps speed up integration, find problematic components, and remediate them quickly and easily.
- Mend for Containers: Mend integrates into all stages of the container development lifecycle, including container registries and Kubernetes with automated policy enforcement for maximum visibility and control.
The simplest way to secure and manage open source components in your software.