Welcome to MergeBase Blog

Supercharge Your Software Development: 5 Key Benefits of MergeBase for Java Engineers

12, Sep 2023 0

Dive into this blog post to explore the top 5 Software Composition Analysis (SCA) benefits that MergeBase offers to Java engineers....

The 10 Major Java Vulnerability Types that Threaten Your Software

29, Aug 2023 0

Understand the most common ways that hackers exploit Java applications, and see how MergeBase can protect you from them....

Is Software Supply Chain Security on Your Risk Register? It Should Be.

15, Aug 2023 0

Navigate Changing Cybersecurity Landscape: U.S. National Cybersecurity Strategy & SEC Rules shift liability to software firms. Mitigate risk – software supply chain attacks surge. Update your risk register now....

Safeguarding the Java Ecosystem: How to Protect Against Software Supply Chain Attacks

14, Aug 2023 0

Explore the Java ecosystem’s intricacies and discover practical strategies to defend against software supply chain attacks....

4 Signs It’s Time to Upgrade from OWASP Dependency-Check (and How to Make a Strong Business Case)

10, Aug 2023 0

Dependency-Check is a free SCA tool—but it has its limitations. Here’s how to make the business case to upgrade to a premium SCA solution....

SEC Cybersecurity Rules - The Game-Changing 4-day rule for Reporting

01, Aug 2023 0

Discover SEC’s cybersecurity rules, requiring timely disclosure of material incidents. Stay compliant and safeguard your business w/ MergeBase’s solutions....

Case Study: Full-spectrum DevSecOps for Software Supply Chain Security

29, Jul 2023 0

How we were able to satisfy the Dev and Ops requirements while integrating security into the whole process of our large financial institution client....

Mergebase Recognized Among Top 15 Cyber Security Startups by Canadian Venture

20, Jul 2023 0

MergeBase is proud to announce that it has been named a Top 15 Cyber Security Startups by Canadian Venture News, reputable platform known for its keen eye for identifying promising ventures in Canada....

MergeBase Welcomes Kelly West as New Chief Technology Officer

18, Jul 2023 0

Vancouver, Canada - July 18th - MergeBase, a leading provider of secure software solutions, is thrilled to announce the appointment of Kelly West as their new Chief Technology Officer (CTO). With over two decades of experience in digital and technology-driven products, Kelly brings a wealth of expertise to the company and will play a crucial role in driving its growth and innovation. As a seasoned product leader, Kelly has an impressive track record of developing successful strategies and achieving dominant market shares for SaaS products. His deep understanding of the challenges associated with providing highly available, robust, and secure SaaS offerings makes him an ideal fit for MergeBase’s vision.

Get full Java coverage with Ant, Gradle and Maven

16, Jul 2023 0

Java engineers, why only get Maven protection if you can get build tool protection for all three? Build with the tool you prefer....

The Top 10 High-Risk Java Security Vulnerabilities, and How to Fix Them

07, Jul 2023 0

Get to know the most commonly searched high-risk Java CVEs in our vulnerability database....

8 Practical Ways to Improve Your Software Supply Chain Maturity

06, Jul 2023 0

As the threat of third-party vulnerability exploitation increases, board members need to take measures to keep their applications safe....

Understanding the Different Standards of SBOM and VEX

04, Jul 2023 0

Gain insights into the standards of Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX). Discover how VEX helps vendors and buyers identify vulnerabilities....

Not all SBOM Generation Tools are Created Equally

29, Jun 2023 0

There are significant differences in the features, capabilities, and quality of different SBOM generation tools. Here are some crucial factors to consider when selecting an SBOM generation tool...

All About SBOMs

27, Jun 2023 0

Are you looking to better understand a Software Bill of Materials (SBOM) and why it’s essential for your organization? Then you’ve come to the right place!...

Introducing Vulnerability Exploitability eXchange (VEX): A Solution for False Positives

22, Jun 2023 0

Robust software security is crucial for safeguarding data and protecting companies. However, false positives in vulnerability detection often lead to inquiries about non-threatening issues. To address this, the groundbreaking solution VEX integrates with SBOM for effective resolution....

How to Manage Your Vendors’ SBOMs with MergeBase

20, Jun 2023 0

Get a tour of the perks and benefits of managing your vendors’ software bill of materials documents through MergeBase SCA....

SBOM Management with MergeBase: The Software Vendor’s Guide

15, Jun 2023 0

Get a tour of the perks and benefits of managing your software bill of materials documents through MergeBase SCA....

Software Bill of Materials (SBOM) in a Nutshell

13, Jun 2023 0

Software security should be a top priority for companies in the face of rapidly evolving cybersecurity threats. Implementing an SBOM is a proactive step towards reducing vulnerabilities and enhancing transparency in software applications....

Vulnerability Remediation and Mitigation: Overviewing the Realities of Runtime Application Security

07, Mar 2023 0

Vulnerability remediation is the process of finding and fixing security vulnerabilities in your systems—and it’s an especially important discipline in the world of software supply chain security....

Snyk vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

02, Mar 2023 0

Snyk is the most well-known (and widely marketed) SCA tool in the cyber security industry today—but your application’s security shouldn’t be settled by a popularity contest. Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Snyk and MergeBase on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.

Black Duck vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

01, Mar 2023 0

Ten years ago, Black Duck was the go-to SCA solution—but in today’s rapidly-changing cybersecurity environment, older doesn’t mean better, and it’s important to understand how industry leaders stack up against...

Mend (formerly WhiteSource) vs. MergeBase: A Side-by-side Software Composition Analysis Tool Comparison

28, Feb 2023 0

In May of 2022, longstanding SCA solution and leader in application security WhiteSource rebranded as Mend. Mend is still one of the most widely used SCA tools in the cybersecurity world and a common candidate when companies consider a new SCA solution—but is it right for you? Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Mend and MergeBase on five capabilities that companies find most important when choosing an SCA tool.

Patching takes time, sometimes forever.
What can you do now?

20, Feb 2023 0

The majority of software supply chain attacks involve Java-based systems. However, the complexity of third-party libraries, which often make up 80-90% of applications, makes them hard to scan, review and analyze. This is where MergeBase’s Java Runtime Protection comes in as a unique capability in the industry. MergeBase’s SCA Runtime Protection provides visibility into the"...

WAF + Java Runtime Protection = Massive Attack Surface Reduction

20, Feb 2023 0

For twenty years now, the web application firewall (WAF) has been our first line of layer 7 defense against cyberattacks on our Internet-facing applications. While far from perfect, the WAF has undoubtedly protected many insecure and legacy applications from getting owned despite their loose security postures and deprecated third-party components. But in today’s fast-changing world with never-ending software supply chain security vulnerabilities, solely relying on your WAF and its team of support engineers to properly catch every CVE relevant to your application is a strategy for failure. Tactically speaking, it is simply not realistic. Supply chain attacks on open source software grew 650% in 2021.

Black Duck vs. WhiteSource (now Mend) vs. MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

18, Feb 2023 0

When it comes to choosing an SCA solution, any responsible decision maker should consider Black Duck and Mend (formerly WhiteSource). Black Duck has been around longer than any other player...

Snyk vs. WhiteSource (now Mend) vs.  MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

16, Feb 2023 0

No other major player has been in the SCA game longer than Mend (formerly WhiteSource), and Snyk is the most widely known SCA solution in the cybersecurity world. If you’re considering SCA options, you need to be familiar with both of these tools—but are either of them right for you? A purpose-built solution may be a better fit than an older or more popular tool. Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart.

Reduce 3rd-party Risk Proactively

15, Feb 2023 0

The majority of software supply chain attacks involve Java-based systems. However, the complexity of third-party libraries, which often make up 80-90% of applications, makes them hard to scan, review and analyze. This is where MergeBase’s Java Runtime Protection comes in as a unique capability in the industry. MergeBase’s SCA Runtime Protection provides visibility into the Java libraries and methods an application uses, giving a proactive way to monitor, analyze and block potential vulnerabilities. This is especially crucial since the majority of the software supply chain industry only informs users about the existence of a vulnerability at a library level without noting the actual vulnerable function.

Snyk vs. Black Duck vs. MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

14, Feb 2023 0

Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Snyk, Black Duck, and MergeBase on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.) Snyk vs. Black Duck vs. MergeBase: a side-by-side comparison We measured these tools’ competencies in the five most critical areas where a quality SCA tool needs to perform.

You got yourself a free trial! Now what?

31, Jan 2023 0

You got yourself a free trial from MergeBase here; you’ve validated your existence and are now in your dashboard. Now what? Well, that’s a good question. There are 2 aspects to wrap your head around regarding the Mergebase system. Understanding the dashboard Understanding how to scan your applications to the dashboard This blog post will concentrate on getting that first scan successfully completed; then, we’ll look at the dashboard in detail in the next post. Free Trial: First steps The first thing to conquer is seeing if you have java installed and, if not, installing it. Baeldung has a great page about checking to see if you have it installed here: Baeldung, and a good page on how to install java lives here: How to Install.

MergeBase, CI/CD Pipelines & You

27, Dec 2022 0

CI/CD Pipelines are the way of the present. They allow for repeatable, predictable actions & results, which, while boring for real life, is great for your...

Suppression Management: How to Balance Software Supply Chain Security with Practical Business Goals

19, Dec 2022 0

In an ideal world, you would only ever ship immaculately secure versions of your software—free from all known vulnerabilities. However, you’re not building software in an ideal world: the security of your product is just one of many factors that affect what you ship and when you ship it. Budget constraints, talent gaps, operational schedules, and good old-fashioned customer deadlines also come into play—which means software companies often need to sacrifice short-term cybersecurity perfection for the sake of long-term product (and business) viability. This happens in every area of life, not just software. We prop the front door ajar while moving heavy boxes in or out of the home.

What is the best Java Scanning tool?

16, Dec 2022 0

Java is one of the most popular languages in software development—which means hackers are always trying to exploit what vulnerabilities they can in Java libraries. That’s why it’s important to find tools that allow you to scan your code for known vulnerabilities....

Software Supply Chain Implications for Zero Trust

30, Nov 2022 0

Zero Trust (ZT) has been the source of hope and confusion for many organizations looking to improve and modernize their security program. It is not a new concept, but President Biden’s 2021 Executive Order has recently highlighted it. The order cites Zero Trust, Software Supply Chains, and SBOM as critical pieces toward better securing American institutions and people against cyber attacks. There is wide agreement that ZT concepts lead in a positive direction toward better security. Implementing it requires fundamental changes and raises questions: How does it really work? How do I apply it? What are its implications? In this webinar, Jerry Hoff and Julius Musseau break down Zero Trust’s fundamental concepts and resources.

6 Predictions for the Future of SBOM and Software Supply Chain Security

04, Nov 2022 0

In the past few years, software supply chain security has become a topic of interest for governments and regulators thanks to enormous breaches (like log4j and SolarWinds). For example: In...

When Container Scanning Falls Short

02, Nov 2022 0

Are you relying on your container scanning to secure your applications? You might be exposed! Containers have taken IT by storm. They increase delivery speed and stability. To secure them, you just run a scanner, right? Perhaps… Metal detectors cannot detect plastic explosives. Similarly, many container scanners (e.g., Quay, Docker Hub, and even Snyk) are unable to detect the most vulnerable libraries inside Docker containers or Kubernetes clusters. Do you want to know what your container scanner might be missing? Watch this live streaming event with the heavyweight security expert Julius Musseau, where he highlights the issues and presents solutions. Learn about the typical container scanning short falls.

OpenSSL Will Issue a Patch for a Critical Vulnerability on Nov 1st.

31, Oct 2022 0

OpenSSL has classified an upcoming issue as critical severity as it affects common configurations and can be exploited. So far (it’s October 31st right now as I type this blog post), they are not saying anything else. It is mostly a Linux package, so here is what you should do tomorrow: Ubuntu/Debian users should run “apt update” and “apt upgrade,” Redhat/Amazon/Fedora/Suse users should run “yum update,” Alpine users should run “apk update” and “apk upgrade.” Any Docker containers running on base images based on any of the above obviously need to be re-imaged! Typically updates do not require machine restarts, but personally, I would still reboot.

Mitigating Supply-chain and Third-party Risks: What You Need to Know about Bill C-26 and the CCSPA

12, Oct 2022 0

The proposed Critical Cyber Systems Protection Act (bill c-26) could raise security standards for certain organizations in Canada. Here’s how to prepare!...

Shift Left Security: Protect Your Dev Life Cycle with Software Composition Analysis

04, Oct 2022 0

If you’re a developer (or work closely with developers), you’re likely already familiar with the concept of Shift Left Testing. This is the practice of testing your code earlier in the dev cycle rather than later. Traditionally, software goes through the plan, code, and build phases before being tested. However, more and more organizations have recognized that holding quality assurance until the end of the process often leads to a lot of recoding and rebuilding—which takes up time and energy that could be put to more valuable use. (The concepts of “left” and “right” in this discussion refer to a timeline: the earlier something takes place, the further “left” it shifts on that timeline.

Industry Report: The True Costs of False Positives in Software Security

29, Sep 2022 0

False positives occurs when a scan detects a vulnerability that isn’t really present. These might seem harmless, but they waste time and erode team morale....

Peaks vs. Valleys – Perspectives on Software Supply Chains

22, Sep 2022 0

Real-world supply chains can involve planes, ocean freighters, trains, trucks, and even bike couriers. So it’s no surprise that software supply chains also involve a wide variety of complementary production, distribution, and deployment channels. One of the challenges with securing software supply chains is that solutions must be combined to address each conduit supporting the entire chain. Patching the libraries your software engineers copied into your final build is insufficient—you must also consider your base images, the packages and platforms brought in via provisioning scripts, and even possibly plugins deployed by admins post-deployment! Unfortunately, these disparate channels often have different weaknesses and vulnerabilities and require different security approaches.

Software Bill of Materials (SBOM): The Accurate A Guide to Software Supply Chain Security

20, Sep 2022 0

The software bill of materials (SBOM) is a document that lists all the components and subcomponents of your software code. Some regulated industries require these documents as part of their software supply chain security efforts, and as third-party liability policies emerge, SBOMs are becoming a popular defense in the fight against cyber threats. Cyber crime is currently one of the largest causes of criminal money damages in the world, costing individuals, companies, and governments more than $6 trillion USD in reported damages in 2021. This trend is on the rise, with large companies reporting cybercrime as the largest threat in terms of fraud in PwC’s 2022 Global Economic Crime and Fraud Survey.

Scanning Ant-Based Java Projects For Know Vulnerabilities

08, Sep 2022 0

Introduction Ant was Java’s original build system. Ant was developed internally at Sun Microsystems around 2000 to help build the original Tomcat JSP server. I vaguely recall learning many years ago that James Duncan Davidson and Jason Hunter (now of JDOM fame) were the main culprits behind Ant. Of course, we’re now in 2022, and Ant has long since been replaced with Maven. But from 2000 to 2010, Ant was very popular. Even today, many projects, especially internal corporate Java projects, still use Ant. Why fix something when it’s not broken, right? Unfortunately, important application security tools for SBOM generation and known-vulnerability scanning currently don’t work with Ant.

The Executive’s Guide to Third-party Liability in Cyber Security Law

06, Sep 2022 0

As cybercrime becomes more sophisticated, governments have begun introducing initiatives to hold regulated industries accountable for their data security. This includes initiatives involving third-party liability, where software companies are held responsible for vulnerabilities that come from external sources. This is an important issue for both software providers and regulated companies using third-party software. Here, you’ll get an overview of what third-party liability is, why it matters, and what you can do to prepare for third-party liability laws. In this article: 1. What is third-party liability in software? 2. The regulatory gap: how third-party liability became so important 3. Third-party liability in cyber security law

Log4J Reunion Tour 2022 !!!

26, Aug 2022 0

The unofficial, unauthorized retrospective, 9 months later. If it was not clear before, after Log4j, it certainly is now! Everybody uses open-source software in their applications. There are no exceptions, and as a result, we are all at risk of being breached by vulnerabilities in open-source software. The Log4J bug was a wake-up call. The Apache Log4j vulnerability was one of the most significant breaches in recent history. Its impact was felt worldwide, and the repercussions are still being felt today. In this live event, Lunasec founder and CEO Free Wortley, AppSec Expert Jim Manico, and vulnerability scanning implementor (and Apache committer) Julius Musseau come together to discuss the 2021 Log4J debacle.

What are the Best Tools for Generating SBOM (Software Bill Of Materials)?

15, Aug 2022 0

What are the Best Tools for Generating Software Bill Of Materials? We choose 5 tools for generating SBOM, more or less randomly, and tried them out. Here’s what we found!...

API Security – Preventing an API Breach

21, Jul 2022 0

ISt goes without saying that APIs are deployed everywhere. For instance a website click quickly initiates a dozen REST calls directly from your browser and another dozen behind the scenes...

OWASP Top Ten #1 Worst Problem: Poor Access Control

04, Jul 2022 0

Access control is the biggest problem in Application Security. Find out what industry experts have to say about it and how you can protect your applications from it....

How To Avoid Catastrophic Cryptographic Failures In Your Apps

08, Jun 2022 0

Danger, Cryptography Ahead! The latest OWASP Top 10 ranks “Cryptographic Failures” as the 2nd worst security problem currently facing software engineers today. In this webinar AppSec experts Jim Manico (OWASP Top Ten contributor), Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will discuss why this is the case and offer the best practices and resources for developers trying to avoid such failures in their own systems. As the very recent (and very serious) CVE-2022-21449 shows – this problem never goes away! It’s hard for software practitioners to stay up-to-date because new critical cryptographic weaknesses and configuration disasters are discovered and disseminated every year, and seemingly tiny benign mistakes can be game over.

OWASP ASVS: your balanced appsec diet

12, May 2022 0

Build strength, fitness and peace of mind! In this webinar, application security heavyweights Jim Manico (OWASP Top Ten contributor), Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will talk about the best thing that can happen to you if your application security team is overwhelmed, overworked and over-worried. What you will learn in this section: Are you thinking of establishing a balanced appsec process, or are you looking at fine-tuning your existing process? The first application security standard by developers for developers! That defines three risk levels with 200+ controls. And gives you a similar value to ISO 27034 for a fraction of the hassle.

I was asked: Are your application secure?

04, May 2022 0

Five hours of googling later I realized that the concept of an application secure was in fact ephemeral. Is anything, anywhere safe?...

How to Deploy an Effective Application Security Toolset?

15, Apr 2022 0

In this webinar, application security experts will go over best practices for rolling out an effective Application Security Toolset to your software development and security teams....

When Dependabot Is Worse Than Nothing: Log4J As A Sub-Dependency

16, Mar 2022 0

Dependency management is a critical aspect of software development that ensures applications have access to up-to-date and secure libraries and frameworks. One popular tool in the industry for managing dependencies is Dependabot. However, despite its promising features and integrations, Dependabot has a significant implementation flaw that limits its effectiveness Watch this webinar about how Dependabot applies to you and find out how to fix this :). Why should you care about using Dependabot? Because if you’re using industry-standard software leader Dependabot, then your devs didn’t fix the recent Log4J problem properly. If you’re using it, then the tools you’re using now aren’t getting the job done.

OWASP Top 10 2021 Explained

10, Mar 2022 0

Compromises in the application layer are now responsible for 40% of breaches. Two years ago that was 24%. Obviously, time to pay attention to application security. OWASP will give you a running start with their Top 10. Why use OWASP top 10 vulnerabilities? Imagine if a dozen of the top cybersecurity experts in the world reviewed your software for security problems. Since application security is generally not well covered in university, college, and bootcamp software courses, it’s likely they would probably find a lot of problems! Of course, hiring even 1 security expert to review your work is out of reach for a lot of software teams – let alone 12 experts.

How to Instantly Secure Log4j

28, Dec 2021 0

The log4j vulnerability was announced on December 10, 2021, and ranks as one of the worst in history. How to secure log4j? The best resolution is to upgrade to a secure version. However, sometimes that is not possible, or at least it takes time. In these scenarios, runtime protection for log4j or other vulnerabilities can be a lifesaver. In organizations that have hundreds or thousands of applications, it can take days or even weeks of an all-out effort to upgrade these applications. Or it could be that the vulnerable applications are supplied by a vendor, and the vendor does not have a fix immediately available.

Critical Java Log4j Vulnerability

10, Dec 2021 0

What can go wrong with a tool that just logs messages to a text-based file? Nothing right? Suddenly on December 11, 2021, we were all exposed to the log4j vulnerability,...

Don’t Let Third-Party Vulnerabilities Run Wild

04, Oct 2021 0

You’re leaving up to 90% of what you run exposed to threats. Today’s software and applications are predominantly built with third-party components. Don’t let third-party vulnerabilities run wild! It isn’t enough to analyze your own code–your Software Composition Analysis (SCA) tools need to also consider any third-party components used by your offering and services. Learn what you can do to not let third-party vulnerabilities happen How to ensure your DevOps and DevSecOps teams are equipped with the tools they need to identify new threats How to integrate remediation tools and processes that consider your entire CI/CD pipeline and code in production How to develop and implement a complete and accurate software bill of materials (SBOM) process for your code and third-party software How to apply a mechanism for obtaining detailed reports on risk and suppression The Growing Influence of Open Source Components: Over the past 15 years, the development of software has seen a significant shift towards utilizing open source components and libraries.

Scanning a firecracker microVM with MergeBase

14, Sep 2021 0

Firecracker microVM is a virtual machine monitor that allows you to create and manage microVMs. It leverages the Linux Kernel-based Virtual Machine (KVM) and utilizes a minimalist design for increased security. As firecracker microVMs do not include unnecessary devices and guest functionality, they provide a reduced memory footprint and attack surface area. The firecracker architecture is used by and integrated with several infrastructure solutions such as appfleet, containerd, fly.io, and OpenNebula. In this article, we will be building a firecracker containerd microVM and scan it for any known vulnerabilities with MergeBase. In this article: 1. Building a firecracker microVM 1.1. Install the latest version of Go

Ubuntu Docker Container Scanning – Is it enough to protect your app?

28, Jun 2021 0

In this post, we are going to look at Docker container scanning: First, we will build an Ubuntu Docker container, add some software to it, run a Docker scan, and record the vulnerabilities. Then, we will try to resolve some of those vulnerabilities, run another scan, and examine the results. Finally, we will determine whether container scanning is enough to protect your applications and data from compromise. Building the Docker Container We will build our Ubuntu Docker container using the Ubuntu Xenial image. Since it is a few versions behind, it will hopefully contain a few vulnerabilities. We are also going to install Python, PIP3, and a vulnerable version of urllib3.

Container Security Tools Comparison for Vulnerability Scans

17, Jun 2021 0

Recently, we took on a new challenge: compare 5 popular container security tools, including our solution. We wanted to see how the products stack up against each other. How did...

“Enhance software supply chain security,” says White House

13, May 2021 0

Summary Software supply chain security is a common theme in recent attacks such as on the Colonial Pipeline and SolarWinds. In response, President Biden released an executive order to improve the nation’s cyber security. The order is a testimony to the importance of the digital ecosystem today to our society, economy and way of life. Cyber security is critical in protecting it, and the President’s clear message is that we need to do more. The government wants to improve its own cyber security practices and related agencies. It also proposes to remove barriers to information sharing and enhance software supply chain security.

What is a Supply Chain Attack?

06, May 2021 0

Summary A supply chain attack leverages the access of an external partner or provider to gain unauthorized entry to a system or network. It takes advantage of the inherent trust a target has in its suppliers, using it to infiltrate and launch the cyber-attack. Its use of stealth and its indirect ‘trusted’ approach make a supply chain attack an effective weapon in any threat actor’s arsenal. Every organization and individual relies on third-party software in some way or another. When we install software, hardware, or use code from a trusted source, it is natural to assume that it hides no malicious intent.

Open Source Risk: Plugging the Hole

15, Apr 2021 0

Table of Contents 1. The Origin 2. The Growth 3. Open Source Risks: Is it really free? 4. The Best Defence: SCA / OSS The Origin Software development based on the sharing and collaborative improvement of software source code goes back to its origins. In the late 1990s, the term “open-source” was coined and received mainstream recognition in publications such as Forbes. The Netscape browser’s source code was made open source, which got a lot of attention. The original open source projects were “revolutions” against the “unfair” profits that closed-source software companies were reaping. It was argued that Microsoft, Oracle, SAP and others were extracting monopoly-like “rents” for software, which the top developers of the time did not believe was world-class.

A Critical Look at Cyber Security Investment

31, Mar 2021 0

Cyber defense is a global whack-a-mole game with hundreds of billions of dollars being invested in offensive and defensive capabilities. After you invest in one area another area of risk...

Software Composition Analysis (SCA) vs. Java Über Jars

05, Feb 2021 0

Introduction Über jars are a type of reuseable Java library that applications sometimes (knowingly or not) incorporate into their systems. Über jars are particularly challenging for software composition analysis (SCA) tools to understand because their structure and organization are complex. In this blog post, I explain what über jars are and why they exist, and I provide a mini-benchmark to see how current SCA tools deal with this type of Java library. In this article:

1. Introduction
2. TLDR
3. Background
4. Why would anyone create an über jar in the first place?
5. Über jars are a challenge for SCA

Scanning .NET and NuGet projects for known vulnerabilities

03, Sep 2020 0

Are you scanning .NET and Nuget software for security vulnerabilities accurately? We have tested 7 tools! Find out more with this comprehensive comparison....

Introducing CodeGreen for Bitbucket

06, Jul 2020 0

In this post, you will learn how to improve your application security within hours after you install CodeGreen at your local Bitbucket administrator. _Recommended pre-reading: _Intro to SCA – Software Composition Analysis (mergebase.com) Atlassian Marketplace Link: MergeBase CodeGreen (marketplace.atlassian.com) Introduction One of the main challenges with known vulnerabilities is how they mess with standard software lifecycles. A lot of traditional quality engineering relies on the old saying, “if it’s not broken, don’t touch it.” Known vulnerability announcements for popular open source libraries completely go against that since they are discovered and announced more or less at random. A good known-vulnerability SCA solution needs to deal with three very different cadences through which known vulnerabilities will manifest themselves in your software:

MergeBase Successful Seed Raise

22, Mar 2020 0

Successful Seed Raise Will cybercrime cause $1 trillion in damage to an already-vulnerable economy by 2022? Not if MergeBase Software Inc. has anything to do with it. The company has just announced a successful seed raise of $500,000 in funding for its best-in-class cybersecurity product — helping it ramp up sales and distribution. The funding round officially closed on March 19, 2022. “I’m impressed that during this unprecedented crisis, business leaders and investors are able to ‘keep calm and carry on, continuing to invest in leading-edge technology to solve critical problems like cybercrime,” says MergeBase CEO Oscar van der Meer. The current COVID-19 crisis and social distancing measures will only accelerate the move to a fully digital economy.

The “Upgrade Problem” with Open Source Software Vulnerabilities

04, Jan 2020 0

In this article: 1. Background 2. The Upgrade Problem 3. How to manage open source software vulnerabilities and license risk? 4. Risk management for your open source software Background Why do we need a Software Composition Analysis tool against open source software vulnerabilities? Well, that is a long story: Commercial and industrial software is now primarily constructed from components. Open source components, to be exact. Open source software licenses dramatically decrease business frictions that arise from incorporating and integrating software developed by external entities. No more contract negotiation or in-house legal review! Add to this the fact that many software use cases are more or less identical across systems: HTTP connectivity, encryption, spell checking, transaction management, database object mapping, unit testing, etc.

Preventing Git Rebase Fights

04, Jun 2018 0

In this article: 1. What’s a Git Rebase Fight? 2. Solution: Optimistic Build Status Propagation 3. What Causes Git Rebase Fights? 4. Triple-Dot-Diff and “git patch-id” What’s a Git Rebase Fight? Have you ever experienced this situation?

1. You go to merge your PR (pull-request), but the PR says it must be rebased before you can merge.
2. You rebase it, which kicks off a new build. But the build must complete before you’re allowed to merge.
3. The build completes! Yay! But while you were waiting, someone else managed to merge their PR, updating origin/master with their work. Uh oh!

Git V: An Optimal Git Branching Model

04, Jun 2018 0

In this blog post: Primary Mechanics of Git V Off Stage Mechanics How To Implement Git V How To Implement Git V with Bitbucket Server Git V – FAQ Comparison: Git V vs. Git Flow Comparison: Git V vs. Release Flow (Microsoft) Comparison: Git V vs. Linux Branching Model Introduction Git V is a branching model. In other words, it’s a way for teams of humans working in parallel on software to serialize their work into useful and organized streams of commits. At a high level, Git V divides work into two primary streams: destabilizing work (master) and stabilizing work (release branches).

DOING GIT PULL WRONG

07, Mar 2018 0

Too much fun with “git pull –rebase” Note: this article refers to “git pull -r” and “git pull –rebase” interchangeably. They are the same command, except the merge-preserving variation can only be specified via the long form: git pull –rebase=preserve In this article: 1. Investigating ‘git pull –rebase’ 2. The Experiment 3. Preconditions 4. Conclusion: Time To Revise The Golden Rule Introduction I’ve long known that “git pull –rebase” reconciles the local branch correctly against upstream amends, rebases, and reorderings. The official “git rebase” documentation attests to this: ‘Note that any commits in HEAD which introduce the same textual changes as a commit in HEAD.

Load More