3 New GitHub Features to Reinforce Your Code, Repo, and Dependency Security
Discover three great new GitHub features to strengthen your security and learn why dependency security is vital to safeguarding your code and data.
Choose Your Type
Choose Your Topic
Our Latest Content
Cloud Security Architecture: A Practical Guide
Learn about the importance of a cloud security architecture, the main risks you should consider when building it, and key principles to guide your work.
The Era of Automated SAST has Begun
Introducing the Mend Application Security Platform, which offers automated remediation for both open source and custom code.
Mend Epitomizes RSA 2022 Theme, “Transform”
Learn how Mend is bringing RSA 2022’s “transform” theme to life with its own transformation, what that means for customers, and what we’re anticipating from the conference.
From WhiteSource to Mend—A Rebrand Journey
When it comes to rebranding, it’s not about the destination, it’s about the journey How important is a company name, really? Turns out that it is pretty important, especially if the name you currently have does not represent what the company has become, or where it is going. Our name is what defines the vision,...
WhiteSource is Now Mend: You Code, We Cure
Volunteer delegation and charitable donations made to assist and aid those fleeing the crisis in the Ukraine
Vulnerability Remediation: A Practical Guide
Understand the difference between vulnerability remediation and mitigation. Discover tools and an organizational process that can help you remediate vulnerabilities.
Impact Analysis: CVE-2022-29218, Allows Unauthorized Takeover of New Gem Versions via Cache Poisoning
Mend security analyzed the possible impact of a newly discovered RubyGems vulnerability that uses cache poisoning to implement an unauthorized takeover of new gem versions.
New Typosquating Attack on npm Package ’colors’ Using Cross language Technique Explained
Mend security team blocked a malicious npm package that uses a novel approach to disguise and execution.
What is the NIST Supply Chain Risk Management Program?
Learn about the NIST C-SCRM program, its approach to supply chain security, and 4 critical best practices NIST recommends to secure your digital supply chains.
Plan and Protect: A Modern Plan for Open-Source Security
In today’s digital world, open-source software is vital to modern application development. And as we know, what’s important to the business world is important to threat actors. But how can companies successfully combat the rising tide of vulnerabilities? Join experts from WhiteSource and Microsoft as they discuss the value of blending proactive practices to code...
AWS Targeted by a Package Backfill Attack
On April 28 and April 30, respectively, Supply Chain Defender identified, blocked, and reported two packages we deemed were malicious versions of original Amazon Web Services (AWS) packages. Mend security experts have reached out to contacts at Amazon to notify them of our findings. This discovery may point to a new takeover method that targets...
5 Vulnerability Assessment Scanning Tools: 5 Solutions Compared
Learn how vulnerability assessment tools work, key features and capabilities, and discover five great tools that can help you scan and remediate vulnerabilities.
Cybernews/ Mend: It’s No Longer a Matter of ‘If’, but ‘When’ an Organization Will Be Targeted by Threat Actors
Daniel Elkabes, lead security researcher at Mend sat down with CyberNews to discuss security best practices for addressing threats.
Software Supply Chain Security: The Basics and Four Critical Best Practices
Learn about supply chain security, supply chain attacks, and how to protect your organization against this severe threat.
Threat Actor Deploys Malicious Packages Using Hex Encoding and Delayed Execution
Mend security has uncovered malicious packages using hex encoding and delayed execution
How SAST and SCA together make your security stronger?
Risks from application vulnerabilities have multiplied as more applications get developed. To address this issue, Static Application Security Testing (SAST) identifies security vulnerabilities in the custom code written by application developers. Simultaneously, Software Composition Analysis (SCA) safeguards the open-source components that comprise between 60% and 80% of the codebase in modern applications. Join Susan St.Clair,...
Get the Response to Spring4Shell Right: Best Practices for Immediate Remediation
Learn 3 best practices for effective remediation of the Spring4Shell zero-day vulnerability.
Automated Software Supply Chain Attacks: Should You be Worried?
From the factory floor to online shopping, the benefits of automation are clear: Larger quantities of products and services can be produced much faster. But automation can also be used for malicious purposes, as illustrated by the ongoing software supply chain attack targeting the NPM package repository. By automating the process of creating and publishing...
Spring4Shell Zero-Day Vulnerability: Information and Remediation for CVE-2022-22965
CVE-2022-22965, a zero-day RCE vulnerability known as Spring4Shell, has been found in the popular Spring framework for Java apps.
How To Set A Benchmark Of False Positives With SAST Tools
Learn how to set a benchmark of false positives with SAST tools. Know how to measure the success of SAST tools. Understand how Mend SAST Helps.
Best SAST Tools: Top 7 Solutions Compared
Discover the top Static Application Security Testing (SAST) solutions, their key features, and what makes a great SAST tool.
How to Leverage Defense-in-Depth to Prepare For the Next Log4j
How prepared was your firm to handle the Log4j vulnerability that was announced in December 2021? The best firms were prepared and loaded for bear, and they completely mitigated and remediated their risk within hours of the announcement. What can you learn from their approach and how can you prepare for the next inevitable widespread...
How To Address SAST False Positives In Application Security Testing
Learn the effects of SAST false positives. Know their common causes. Understand how to address them without sacrificing software quality and security.
Best Practices For Managing Ruby Supply Chain Security Risks
Understand the types of Ruby supply chain attacks. Learn the best practices for preventing supply chain security risks in your Ruby projects.
Application Security Scanning in the Repository: Best Practices
Historically, if organizations wanted to automate and enforce application security testing, the best place to do that was within CI/CD pipelines. As time went on, we realized that while pipeline scanning has its place in securing applications, it doesn’t scale as more and more plugins are needed and with that, the task of managing them...
A Guide To Implementing Software Supply Chain Risk Management
Learn how to implement a software supply chain risk management strategy in your enterprise. Discover risk management best practices, benefits, and more.
SAST vs. SCA: 7 Key Differences
Both SAST and SCA tools address software vulnerabilities, while SCA covers open source code and SAST covers proprietary. Here are 7 main differences between these two.
Mend SAST: The Next Generation of Application Security
Mend Static Application Security Testing (SAST) technology is the first to automatically remediate security vulnerabilities as well as identify them. CEO Rami Sass explains why and how Mend launched this SAST solution, and the value it brings.
npm Threat Report
What’s in the report? Learn how the most popular JavaScript package manager – npm – is being used by malicious actors to launch attacks, run botnets, and steal credentials and crypto. Why should you care about malicious npm activity? JavaScript is the most commonly used programming language globally, and 68% of developers depend upon it...
A Malicious Package Found Stealing AWS AIM data on npm has Similarities To Capital One Hack
Mend Supply Chain Defender detects the new release of a package called @maui-mf/app-auth that used a vector of attack similar to the server side request forgery (SSRF) attack against Capital One in 2019
CVE-2021-44142: Vulnerability in Samba Enables Bad Actors to Execute Arbitrary Code as Root
Key information about a severe flaw (CVE-2021-44142) in the popular freeware, Samba, which enables remote attackers the ability to execute arbitrary code with the highest privileges on affected installations. Discover how it works and how Mend thwarts it.
How to Fix NPM Vulnerabilities Quickly and Painlessly
Join us to learn about typical time frames for NPM vulnerability detection and how to find the quickest and least painful path to remediation.
CVE-2021-4034: A Walkthrough of Pwnkit — the Latest Linux Privileges Escalation Vulnerability
What you should know about an improper implementation of the pkexec tool in polkit, an out-of-bounds memory access that can be leveraged by a local attacker to escalate their privileges to the system root. Discover how the exploit works and how Mend thwarts it.
DevSecOps in an Agile Environment
There is a misconception that DevSecOps slows things down and that Agile results in bad software. Here is how they can co-exist with one another.
Log4J: Tales from The Trenches: The State of Log4J Remediation
The announcement of Log4j vulnerability sent security and development teams into a tailspin — not once, but multiple times. Throughout it all, WhiteSource has been providing tools for discovery and automated remediation, and working closely with our customers. Join our experts to learn what has been going on, such as: What percentage of organizations were...