How to Boost Confidence in Your Open Source Security with Mend Smart Merge Control
Modern applications are hugely dependent on open-source software. 80 percent of most organizations’ apps and code base is now open source, in some cases more. While this is great for swift development and innovation, it increases the possibility of vulnerabilities arising that bad actors can exploit, and it expands the potential attack surface.
To maintain robust application security, it’s critical for developers and security teams to keep pace with a rapidly changing code base full of open source components – but how can they be confident that they’re doing so? Now, Mend.io has the answer, with enhancements to Mend SCA that allow you to enjoy a completely automated process of updating open source packages along with the highest confidence that these updates will be successful.
Let’s take a look at the problems this enhancement addresses and how it helps you maximize your confidence in your open source security.
The challenge
Developers and security professionals all agree that applications are more secure when they are using up-to-date dependencies, but it is a task that is easier said than done. That’s partly because dependencies are becoming more numerous and updates have become more frequent, with no sign of the trend reversing. As the number of dependencies and potential updates soar, manual methods become increasingly unworkable, requiring “triage” that ignores many updates and begins to accumulate security debt in the form of out-of-date dependencies.
Automated testing and remediation go a long way toward alleviating this problem. Tools like the Mend Renovate bot ushered in an era of “dependency automation” and have been adopted by many high-performance development teams. However, even with project-level automation, staying up to date can still take significant developer time. Teams with projects lacking a strong test suite may feel uncertain about updating dependencies, therefore becoming increasingly out-of-date compared to others.
Furthermore, most applications don’t have a level of testing that is good enough to rely on automated testing and deployment. Even if they do, most companies don’t test the inner workings of external dependencies. As such, it can be hard to trust whether an update to an external dependency will break the application. This leads to manual testing, which adds developer overhead and slows down the process of updating dependencies.
With the large number of updates that can be generated by Renovate, it can be overwhelming trying to manually test and deploy all the updates. Existing grouping mechanisms can help, but don’t eliminate the problem of untrusted updates, which can cause an entire group of updates to be useless.
Consequently, projects tend to fall behind on dependency updates through a combination of a lack of confidence in project tests, and a lack of resources to review updates, and in doing so, the risk of future security problems increases.
The need
So, clearly what Mend.io customers need is something that simplifies and accelerates the process of updating dependencies. It has to be easy to use so that developers will be happy to adopt it, and it has to make life easier for them by facilitating their ability to accept updates and apply valuable fixes to security issues, as quickly and as easily as possible. Such a solution will result in a better application security posture because it will:
- Save significant time and resources for projects which have already embraced dependency automation
- Lower the barrier to entry for other projects to adopt dependency automation
- Bring you up-to-date with dependencies, which is the best way to be prepared to respond to open source security vulnerabilities
The solution: Mend SCA – Now with Smart Merge Control
Mend SCA now addresses these concerns by allowing developers to manage updates based on a “merge confidence” value, which expresses the confidence that Mend.io has that a given update will merge into an application without breaking a build.
This confidence value is crowd-sourced from the large number of developers who are using Mend Renovate, the world’s most popular automated dependency update bot, and is generated by monitoring the success of pull requests that contain each specific update. The idea is that a bad update will fail for a statistically significant number of projects, and Mend.io can mark the update with “Low” confidence. Updates that repeatedly merge successfully will generate a merge confidence of “High” or “Very High”. And those updates that are quite new, or for which we don’t have enough confidence data, are marked as “Neutral”. Over time, as more data is gathered, the confidence moves away from neutral and stabilizes on either low, high, or very high.
Mend.io is the first company to allow users to define Smart Merge Control based on crowd-sourced information to provide near real-time information about whether dependency updates are likely to break a build. This is the first time users will be able to manage updates based on their confidence level. Other vendors can provide information about the CVEs in an update, but none can advise whether the update will merge easily with a codebase.
This is yet another first for Mend.io. We were the first company to offer automated pull requests for open source vulnerabilities. We were the first to provide reachability path analysis. Now we are the first to completely automate the process of updating open source packages with confidence that the updates will be successful.
The benefits of Smart Merge Control
The MCW enhancement makes it easier to keep open source software packages up-to-date. It’s significant for developers because it allows them to leverage Mend.io’s Merge Confidence scoring to reduce the amount of effort it takes to stay up-to-date. Even a small application can easily utilize a large number of open source dependencies that require regular updating. Without information about whether an update can be trusted, each update must be tested. Using Smart Merge Control, a developer can filter for just the most trusted updates and have them automatically applied. This significantly reduces the burden for developers to maintain good dependency health for their applications.
From a security perspective, it’s another tool in the fight against hackers. By making it easier to accept updates to dependencies, MCW results in applications more frequently receiving security fixes, and as it increases the adoption of updates, applications will become more secure. It also means that updates will be applied sooner, so attackers have less time to exploit each discovered vulnerability. Plus, the resulting reduction of technical debt means security managers will feel more confident that developers can quickly react to any urgent vulnerability announcement that might happen in the future without breaking their applications (which is, of course, bad for business).
At a glance, MCW’s key benefits for users are:
| Benefit | Context |
|---|---|
| No need for testing / Helps when there aren’t enough tests, as updates can be accepted without any need for testing. | If an application has low test coverage. Most applications don’t test external dependencies, so errors can slip through more easily. Merge confidence can report on the overall quality of the update, outside of application-specific tests. |
| Ignore untrusted updates. Automatically merge trusted updates. | Only Mend.io knows which updates can be trusted. |
| Drastically reduces the time taken to process updates. | Easier to determine which updates to accept. Easier to test and deploy updates. |
MCW takes Mend SCA automated dependency updates to the next level
For several years, Mend SCA has been the gold standard for open source security. Our main focus has been on detecting vulnerabilities and helping developers very efficiently remediate them. In recent years, we pioneered capabilities such as automated pull requests, scan on commit, reachability path analysis, and many more. Our ability to integrate with DevOps tool chains (also known as DevSecOps) has won us the business of many large customers. And recently we published research showing that customers who integrate Mend SCA with their code repositories reduce their mean time to remediation (MTTR) by 74% and fix three times as many vulnerabilities in any given time period.
Now, we are raising the bar for software composition analysis by adding automated dependency workflows to Mend SCA. We believe this provides significant security value, even though many dependency updates have nothing specifically to do with vulnerability management.
The easier it is for developers to update the dependencies in their applications, the more updates an application will receive – and the less security debt will be accumulated due to out-of-date components. Automation overcomes the time-consuming and onerous process of manual dependency testing.
Mend SCA now offers a rich set of capabilities that allow developers to configure how updates are delivered, helping them to manage this otherwise daunting task of maintaining dependency health.