As the software bill of materials (SBOM) becomes ubiquitous for compliance and security purposes, what has previously been a nice-to-have option is fast becoming indispensable. If you want to do business with significant partners, such as public and federal organizations, and if you want to grow your business by floating your company or engaging in M&A activity, then you’re going to need SBOMs. This demand is driven by two key trends, one technical and the other legislative.

One often-overlooked risk in the bustling ecosystem of open-source software are vulnerabilities introduced through software dependencies. We mention this because today, a malicious actor took over a RubyGems package name with more than two million downloads. Mend.io technology detected the package before it could be used for an attack, but the case of ‘gemnasium-gitlab-service‘ serves as an important reminder of the risk of neglecting dependency management.

We hear a lot about the urgency of transition from DevOps to DevSecOps, and with good reason. The ongoing rise in cyberattacks across the software supply chain, coupled with a shifting regulatory landscape, highlights the growing urgency of improving application security. But it’s one thing to recognize the importance of integrating security into the software development process, and another thing to actually succeed at doing so.

We’re proud to announce that Mend.io has been recognized as a Visionary in the 2023 Gartner Magic Quadrant for Application Security Testing (authors Mark Horvath, Dale Gardner, Manjunath Bhat, Angela Zhao, Ravisha Chugh); (May 17, 2023).

Companies are increasingly concerned about the security of applications built on open source components, especially when they’re involved in mergers and acquisitions. Just like copyright for works of art, each piece of open source software has a license that states legally binding conditions for its use.

Managing dependencies is not for the faint of heart. For a single project, you may be able to keep up with dependencies on your own. For software codebases with hundreds of modules, however, even the most seasoned developer will quickly descend into dependency hell. Don’t worry: dependency hell has happened to the best of us! There are some things you can do to keep yourself sane and improve application security.

Open source code is everywhere, and it needs to be managed to mitigate security risks. Developers are tasked with creating engaging and reliable applications faster than ever. To achieve this, they rely heavily on open source code to quickly add functionality to their proprietary software. With open source code making up an estimated 60-80% of proprietary applications’ code bases, managing it has become critical to reducing an organization’s security risk.

Software developers build approximately 80% of software applications using open-source code, which opens up a world of opportunity for today’s threat actors. Code package repositories such as npm and RubyGems allow anyone to store or publish packages, and unfortunately that can include packages containing malware. These are known as malicious packages — the malware of the software supply chain. As the name implies, a malicious package is software that is created with malicious intent.