With the current pace of software development, development teams are committing new code to their repositories at astonishing rates. Maintaining a secure SDLC (Software Development Life Cycle) while keeping up with this heightened pace of development has become extremely challenging.
Imagine the following scenario: You run a security scan before deploying to production to ensure that your code is vulnerability-free. To your surprise, a critical vulnerability was detected in your code and it must be fixed before deployment! Now you begin the frustrating and time-consuming process of going through all the commits between now and your previous security scan, locating the problematic commit, and remediating the vulnerability.
In order to avoid a situation like this, it’s crucial to shift security testing left and ensure your code is secure as early in the software development lifecycle as possible. One of the implications of the shift-left philosophy is that security and DevOps teams are relying more and more on development teams to help address security issues. To make their part easier and less cumbersome, developers need tools that integrate into their day-to-day working environments. This is where Mend for Developers comes in.
As part of Mend Developers offering, our product suite tailored especially for developers, enabling organizations to shift left with solutions integrated into developers’ familiar working environments, we’re excited to announce two new integrations for GitLab core and Eclipse IDE.
With the addition of Mend’s integration with GitLab, Mend now offers native integrations for each of the top three players in the repository space: GitHub, BitBucket, and GitLab, giving Mend customers full coverage of the most popular repositories (more than 60% of the total market).
Mend for GitLab enables developers to easily manage their repository’s open source security vulnerabilities without the need to deviate from GitLab’s native flow. On every push to the repository, Mend will scan your code and alert you on any vulnerable open source components. When the scan concludes, Mend will indicate whether or not your commit introduced any new security vulnerabilities using GitLab’s “commit status” feature, and display a security report indicating exactly which vulnerabilities were introduced, and where. Each vulnerability detected by Mend is automatically mapped to a GitLab Issue containing details regarding the library, the vulnerability, and possible fixes. After an issue is opened (you can also set up an automated workflow to open tickets for each issue), it is evaluated by one of Mend for GitLab's most advanced features – Mend Remediate. Mend Remediate will automatically open fix Merge Requests, enabling developers to remediate vulnerabilities in a single click.
Mend's solution is not limited to new vulnerabilities introduced into your repository. A daily scan will also run, automatically detecting newly published open source vulnerabilities affecting any of your existing dependencies and ensuring full coverage for all of your dependencies, both new and existing. The entire process takes place within GitLab's native workflow and fundamental features, removing the need for developers to deviate from their familiar workflow and constantly switch between applications.
Adding to existing support for IntelliJ IDEA, we’re also excited to offer a new integration for Eclipse IDE as part of the Mend for Developers product suite. These two IDE integrations allow Mend to support two of the top development environments in the market today, allowing even more developers to code more securely and productively.
This new developer-focused integration allows developers to gain early visibility and shows developers critical information about the open source vulnerabilities and suggested fixes within their IDE UI. Developers no longer need to switch between applications or wait until they’ve committed the code to detect vulnerable components.
Once a vulnerable open source component is detected in a dependency file, a vulnerability icon appears, color-coded by severity level. Once you click on a specific icon, detailed security information is presented on the selected vulnerability. If you apply the suggested fix presented by Mend, the vulnerability will be verified and removed from your IDE.
As security ownership in organization shifts left towards developers, it’s important to make sure they have all the tools they need to make their lives easier when working with open source. We’re confident these new integrations will empower even more developers to leverage open source components to create products faster and more securely.