• Home
  • Newsroom
  • WhiteSource Acquires Diffend to Provide Software Supply Chain Security

WhiteSource Acquires Diffend to Provide Software Supply Chain Security

TEL AVIV AND BOSTON – April 20, 2021 WhiteSource, the leader in open source security and management, today announced it has acquired Diffend, an open source malware security and threat detection solution. All of Diffend’s current commercial offerings will now be available for free under its new name WhiteSource Diffend. Through the acquisition, WhiteSource is now able to offer an advanced platform for mitigating software supply chain risk.

Recent software supply chain attacks demonstrate that application security needs have gone beyond detection to include continuous prevention. “Scanning for malicious packages after they are installed is too late,” says Maciej Mensfeld, founder of Diffend. “Organizations must start blocking malicious packages before they are downloaded or installed. WhiteSource Diffend is designed for near-invisible, exception-based alerting on software supply chain security threats that doesn’t interfere with developers’ work.” Mensfeld added, “in the past week alone, the Diffend platform has been responsible for detecting and reporting 60 suspicious packages to Rubygems, all of which have now been removed, benefiting all open source users.” Maciej Mensfeld joins WhiteSource as Senior Product Manager for Software Supply Chain Security. 

Software supply chain attacks breach users’ inherent trust in modern application architectures. They occur when malicious code is added to commercial or open source software that is directly or indirectly deployed by the client or used as part of the build and publish process. The potential damage of a software supply chain attack can be severe. It ranges from impacting application traffic to exposing sensitive systems and data as a result of abusing access permissions. While some malicious attacks attempt to remain undetected until production, others are like a virus and attack immediately.

WhiteSource Diffend requires a single install for the entire organization and blocks any malicious package install or update to protect not only the production app but also the entire CI system. Thanks to innovative classification rules for suspicious components, this ultimate shift-left tool provides maximum protection by blocking a package before it even reaches a developer’s machine – without taking up valuable developer time. 

WhiteSource Diffend compounds Diffend.io capabilities into an advanced platform for mitigating software supply chain risk, providing a threefold protection layer. First, the solution offers governance and vulnerability management for open source security throughout the development lifecycle, including analysis of open source licensing and other metadata. Second, WhiteSource Diffend provides malware protection against critical malware attacks, such as malicious takeovers, ATO attacks, and package tampering. Finally, threat detection capabilities include assessment of open source component permissions as well as detection, reporting, and alerting of suspicious component permissions. Overall, WhiteSource Diffend manages the greatest risks associated with open source third-party dependencies.   

Diffend’s existing capabilities will remain free while also integrated into WhiteSource’s enterprise products, for the added benefit of unified policy controls and management capabilities. 

“Malicious package exploits are black swan events: rare, but very high risk,” said Rami Sass, Co-Founder and CEO of WhiteSource. “Warning developers to be on the lookout for software supply chain security threats doesn’t improve security.” Sass added, “WhiteSource Diffend helps our customers stay a step ahead of any security risk and enables developers to work uninterrupted with code they can trust.”

Meet The Author

WhiteSource.io Communications

WhiteSource.io offers an enterprise suite of application security tools designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.

Subscribe to Our Blog