New Mend service auto-detects and fixes code, app security issues

Mend, formerly WhiteSource, announces new service designed to detect and fix code security issues, reduce the software attack surface and application security burden.

female developer programmer devops next generation it staff
Getty Images

Open-source application security company Mend, formerly WhiteSource, has announced the launch of an automated remediation service for addressing code security issues. According to the firm, the new service is designed to reduce the software attack surface and application security burden, enabling developers to write secure code more easily.

Mend has also integrated Mend Supply Chain Defender, a solution that detects and blocks malicious open-source software, into its JFrog Artifactory plugin within the Mend Application Security Platform. The news comes amid increasing market investment into securing key aspects of code and app production to address related risks and challenges.

New service adds automated remediation for static application security testing

Mend’s security platform combines automated remediation for static application security testing (SAST) with existing capabilities for software composition analysis (SCA) to automatically find and fix application security holes involving both open source and custom code, the firm stated in a press release. “Attackers are increasingly targeting applications as the weakest link to go after organizations, and at the same time, pressure to deliver software faster has never been higher,” commented Mend co-founder and CEO Rami Sass. “Mend breaks the trade-off between security and development delivery timelines by providing a solution that automates the reduction of the software attack surface while removing most of the burden of application security, allowing development teams to deliver quality, secure code, faster.”

Through automated remediation, Mend can provide fixes for individual lines of code, presented in a developer’s repository for easy integration into the workflow, the firm added. Prior to this advancement, leading application security products could typically only provide training materials and examples to support developers with researching fixes for each security issue they encountered, an inefficient process which often forced developers to choose between security and meeting deadlines, Mend stated.

Code security issues pose significant risk, fast detection and remediation vital

Omdia Senior Principal Analyst Rik Turner tells CSO that both open-source and custom code can pose significant security risks to organizations, and so having the ability to quickly detect and fix code vulnerabilities is vital. “If your developers are incorporating open-source components such as libraries into the code they are writing, they could be building in vulnerabilities without knowing it, not to mention the risk that, even if the open-source code they’re using is good, your organization may be violating certain licensing terms. So, there is a security and a compliance dimension to the problem.”

As for custom code that contains vulnerabilities, this is like making automobiles with a built-in weakness that you then must issue a recall on after accidents occur and you are taken to court, Turner says. “Exploitable vulnerabilities in your code must be weeded out before they go into production, and one of the problems now is that agile and DevOps practices have essentially accelerated the rate at which code is being pushed into production by the average e-commerce company, which increases the potential for vulnerabilities to be released into the wild.” This requirement is being reflected in the security market, with increasing investment being made into companies that specialize in securing key aspects of code and app production, he adds.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.