WhiteSource, now Mend, unveils automated remediation to improve security

Application security vendor, WhiteSource, today announced a new platform that offers remediation for both open-source software and custom code. In addition to this, the company announced a new brand identity and name — Mend. The company noted the rebranding represents its commitment to removing the silos that currently exist between security and development teams.

When WhiteSource purchased Xantizer and DefenseCode, VentureBeat previously covered the launch of this platform. Mend (formerly WhiteSource) debuted the WhiteSource static application security testing (SAST) solution earlier this year and expected to combine it with software composition analysis (SCA) in the second half of the year. This announcement now marks the launch of the platform and its SAST as well as SCA capabilities.

Devops adoption increasing attack surface

Cybercriminals realize that the application attack surface is growing as a result of devops adoption. Attackers have discovered that because networks are secure, the applications are often the weakest links, as most are not properly secured. Because of the growing number of vulnerabilities left by outdated application security solutions, applications are becoming more appealing targets. One report found that 99.7% of applications have at least one vulnerability.

Added to this is the growing pressure on organizations to deliver software at a faster pace. Organizations are under increasing pressure to safeguard applications while also delivering software more quickly. And according to another study, due to time constraints, over half of organizations routinely release risky code into production in their application security initiatives.

Mend, according to Rami Sass, the company’s cofounder and CEO, “breaks the tradeoff between security and development delivery schedules” by providing a solution that “automates the decrease of the software attack surface while reducing the majority of the burden of application security.” He noted that this enables development teams to produce high-quality, secure code more quickly.

Automated remediation for SAST

An efficient method to address software vulnerabilities must include the use of security testing tools to find both weaknesses in proprietary code using SAST and vulnerabilities in open-source code using SCA. Mend claims its platform is now the first to automatically find and fix application security holes involving both open-source and custom code. The company says it combines automated remediation for SAST with Mend’s existing ability to automatically remediate SCA.

SAST is a popular application security tool that searches an application’s source, binary, or byte code for vulnerabilities and fixes them. SCA, on the other hand, is an application security approach that allows development teams to track and analyze any open-source component that is introduced into a project quickly. 

While SAST solutions examine an application from the “inside out” and do not require a running system to scan, SCA acts like a gatekeeper, checking for unlocked gates and open windows that could allow an intruder access. SCA examines source code for package managers, container images and binary files and records them in a Bill of Materials (BOM), which is a catalog of known vulnerabilities.

SQL injections, server-side injections and command injections are just a few of the vulnerabilities that can be exploited. While it’s uncommon to find software that includes both SAST and SCA, a study found that software security programs that include both SAST and SCA are more thorough and organizations that use it achieve better results. 

Mend claims that its application security platform provides automatic remediation for both open-source and custom code, offering exact patches for each line of code, allowing any level of developer to effortlessly produce quality, secure code.

Until now, application security solutions could only offer training materials and examples to help developers find answers to each security issue they encountered. According to a Synopsys research, this inefficient procedure requires developers to choose between security and meeting deadlines. 

Mend, on the other hand, claims that its platform provides automated remediation for SCA and SAST, which is provided immediately in the developer’s repository for easy integration into the developer process. “Developers don’t have to forgo security for speed,” the company stated.

Supply chain defender integration 

As part of its announcement, Mend said its supply chain defender, formerly known as WhiteSource Diffend, will be integrated with its existing Jfrog Artifactory plugin. 

In cybersecurity, hardware and software, cloud or local storage and distribution mechanisms are all part of the supply chain. Supply chain attacks, also known as third-party attacks, have emerged as a new type of danger targeting developers and suppliers and these attacks are increasingly on the rise. 

Modern development pipelines are complicated automated environments with a wide range of continuous integration (CI) and continuous delivery (CD) tools. For devops teams, CI/CD is a best practice that allows software development teams to focus on satisfying business needs while also ensuring code quality and security. However, open-source code is frequently repurposed by developers and each software project may rely solely on hundreds of open-source projects. As a result, the software supply chain has become a popular target for hackers.

Supply chain attacks have been rising in volume and complexity since the SolarWinds breaches. A report reveals that supply chain attacks have increased by 430%. Given that not every attack is reported or detected, the true number is likely higher. Malicious attackers have switched to easy targets and discovered more innovative ways to make their efforts hardest to detect and most likely to reach desirable targets. 

Supply chain attacks leave companies particularly vulnerable because they can be used to carry out any type of cyberattack, such as a data breach, in which private, sensitive, or protected material is duplicated, accessed, acquired, or distributed for use by an unauthorized person. 

Mend says its supply chain defender is a solution that detects and blocks this malicious open-source software with the Mend platform plugin for the Artifactory registry.

The company says that by using JFrog Artifactory as a private repository manager, enterprise customers may be able to prevent harmful open-source software from entering their code base. According to Mend’s press release, companies may safeguard all projects involving JavaScript or Ruby with a centralized policy enforcement and auditing point by installing supply chain defender once. 

For a unified view inside the developers’ native environment, the company says all results for open-source and custom code are displayed in a custom or third-party code repository. 

According to Josh Johnson, manager of solutions architecture at Defy Security, the application security industry has mostly concentrated on vulnerability identification and management.

“As a Mend partner, we are thrilled for the company to continue its dedication to solving code-based security concerns with automated remediation under this new brand. Defy Security is excited to see Mend expand their automation capabilities for fixing security vulnerabilities,” Johnson said.