New York, NY, USA
2011
  |  By Tiffany Jennings
Dependency management tools are software solutions designed to automate and streamline the process of handling external libraries, modules, or packages that a project relies on. These tools help developers specify, install, update, and track dependencies, ensuring that all required components are present and compatible.
  |  By Tiffany Jennings
On July 7, 2026, the European Central Bank sent a letter to the CEO of every bank it directly supervises with an unambiguous instruction: build a formal action plan against AI-enabled cyberattacks, and submit it to your supervisory team by October 31.
  |  By Tiffany Jennings
AI governance platforms provide enterprises with centralized oversight to manage AI risks, ensure regulatory compliance, and automate policy enforcement across the AI lifecycle. Leading solutions include security-oriented tools like Mend.io, HiddenLayer, and Prompt Security, as well as end-to-end governance platforms like IBM watsonx.governance and Microsoft Purview.
  |  By Tiffany Jennings
TL;DR: AI governance solutions help organizations inventory, secure, and monitor AI systems. Best for AI security and shadow AI: Mend AI; enterprise risk and compliance: Credo AI and IBM watsonx.governance; model monitoring: Fiddler AI. Effective AI governance implementation involves establishing a cross-functional committee, compiling an AI bill of materials (AI-BOM) to identify risks, and implementing policies based on frameworks like NIST AI RMF.
  |  By Maciej Mensfeld
Package registries have a well-known abuse pattern: attackers upload malicious packages, and unsuspecting developers install them. Our researchers just found the pattern working in reverse, in a RubyGems supply chain attack that turns the registry into a place to stash stolen data rather than deliver it.
  |  By Tiffany Jennings
Evaluating AI Security Posture Management (AI-SPM) tools is a critical process for organizations integrating AI, specifically Generative AI (GenAI) and Large Language Models (LLMs), into their workflows. Unlike traditional security tools, AI-SPM focuses on the unique risks of AI, including Shadow AI, prompt injection, data poisoning, model theft, and improper model configuration. When assessing AI-SPM tools, security leaders should prioritize the following capabilities.
  |  By Asaf Saar
A real intrusion, captured in full, shows why trust cannot live inside the model that does the work.
  |  By Tiffany Jennings
Attestation is a security process that enables one system or entity to prove its state or characteristics to another. This typically involves generating verifiable evidence about the software, hardware, or configuration of a device or environment. The primary goal is to ensure that systems are operating as expected and have not been tampered with. Attestation is important for building trust in distributed environments, where direct oversight and control are not always possible.
  |  By Asaf Saar
Two years ago, your teams shipped software. Today they ship two different things. They ship software that AI mostly wrote. And they ship AI systems they built themselves: models, agents, features that reason and act. Most security programs are still scoped for the first and blind to the second. That gap is not a tooling problem. It is a category problem. And the way the industry is drawing the categories is making it worse.
  |  By Asaf Saar
The economics of continuous security at frontier-model prices, and why the math points back to independence. The frontier models are astonishing at finding vulnerabilities. That is not in dispute, and it is not what this piece is about. The question is not whether a frontier model can find a flaw in your code. It is whether you can afford to run one as your scanner, continuously, across your entire estate, the way real security actually works.
  |  By Mend
The old application security playbook is broken. With Anthropic’s Claude Mythos and the release of Project Glasswing, AI agents can now autonomously chain low-severity bugs into working zero-day exploits, collapsing the time between vulnerability discovery and active exploitation. In this video, Mend.io's Saoirse Hinksmon (Head of Product Marketing) and Daniel Wyrzykowski (Product Manager) break down the structural shifts in the threat landscape and what security teams must do to keep pace.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
  |  By Mend
Behind every developer is a beloved programming language. In heated debates over which language is the best, the security card will come into play in support of one language or discredit another. We decided to address this debate and put it to the test by researching WhiteSource's comprehensive database. We focused on open source security vulnerabilities in C, Java, JavaScript, Python, Ruby, PHP, and C++, to find out which programming languages are most secure, which vulnerability types (CWEs) are most common in each language, and why.
  |  By Mend
We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
  |  By Mend
Developers across the industry are stepping up to take more responsibility for their code's vulnerability management. In this report we discuss trends in how security is shifting left to the earliest stages of development, putting the power developers in the front seat. We explore the growth of automated tools aimed at helping developers do more with fewer resources and look for answers on what is needed to help close the gap from detection to remediation.
  |  By Mend
Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities' prioritization. This results in a lot of valuable development time wated on assessing vulnerabilities, while the critical security issues remain unattended.

No component overlooked. Mend identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle. The result? Faster, smoother development without compromising on security.

Not all vulnerabilities are created equal. Mend prioritizes vulnerabilities based on whether your code utilizes them or not, so you know exactly what needs your attention the most. This reduces security alerts by up to 85%, allowing you to remediate more critical issues faster.

Complete Platform:

  • Mend Core: We help you keep things in order. Mend is built to streamline your open source governance. With a full layer of alerting, reporting and policy management, you are effortlessly secure and always in control.
  • Mend for Developers: Mend for Developers is uniquely designed to simplify developers’ work, while keeping the code secure. Its suite of tools helps speed up integration, find problematic components, and remediate them quickly and easily.
  • Mend for Containers: Mend integrates into all stages of the container development lifecycle, including container registries and Kubernetes with automated policy enforcement for maximum visibility and control.

The simplest way to secure and manage open source components in your software.