Welcome to MergeBase Blog

The Enterprise Guide to AppSec Tech Stack Consolidation

16, Nov 2023 0

You’re trying to make your AppSec environment less complex and more efficient. Should you move to a single vendor or use a few best-in-breed solutions?

Cyber Expert’s Opinion about President Biden’s Executive Order on AI Security

14, Nov 2023 0

Explore the implications of President Biden’s Executive Order on AI Security with our comprehensive analysis. Dive into expert insights and understand the steps towards a safer AI future.

SEC Sues SolarWinds: What Does This Mean for Cybersecurity Leaders?

10, Nov 2023 0

The U.S. Government has begun holding software vendors liable for cybersecurity negligence—here’s what that means for you.

The latest software security intel (October 2023)

07, Nov 2023 0

All in one place: hot tips, the latest vulnerabilities, AI safety, how to make security implementation a top priority, SEC charges solarwinds and more.

Navigating Cyber Threats: A Look at Recent Hacking Incidents

04, Nov 2023 0

Explore the Recent Hacking Incidents: Lazarus hackers, AWS cryptojacking, and Apache ActiveMQ flaws. Stay informed and protect against evolving cyber threats.

How to get your Software Composition Analysis (SCA) tool implemented

24, Oct 2023 0

In an insightful discussion led by Oscar, experts Farshad, Ingeborg, and Kelly delve into the complexities of integrating SCA (Software Composition Analysis) tools in businesses. The conversation underscores the importance of cultivating relationships, grasping technical challenges, and valuing the crucial role of human interaction.

Unpacking the Latest Secure by Design Guidance

17, Oct 2023 0

Dive into the recent updates of the Secure by Design guidance, showcasing a united front by global cybersecurity agencies for robust software security.

New Vulnerabilities and How to Remediate Them with MergeBase

12, Oct 2023 0

Explore new vulnerabilities, state-sponsored threats, and how MergeBase can help protect your software supply chain. Stay ahead of cyberattacks.

How to Find and Fix Known Vulnerabilities in Your Java Software Supply Chain

10, Oct 2023 0

Security is more important than ever when it comes to making, selling, and maintaining software. Here’s how MergeBase can help you keep your Java applications secure.

The latest software security intel (September 2023)

30, Sep 2023 0

Don’t get out of date, here’s all your security news in one place.

Navigating the Future of Cybersecurity: Government, AI, and Your Business

15, Sep 2023 0

In this enlightening conversation, Delan, Oscar and Kelly delves into the critical aspects of cybersecurity risk management, vulnerability exploitation, hackers, artificial intelligence (AI), and the essential processes required to ensure robust security in today’s digital landscape.

Supercharge Your Software Development: 5 Key Benefits of MergeBase for Java Engineers

12, Sep 2023 0

Dive into this blog post to explore the top 5 Software Composition Analysis (SCA) benefits that MergeBase offers to Java engineers.

The latest software security intel (August 2023)

30, Aug 2023 0

Don’t get out of date, here’s all your security news in one place.

The 10 Major Java Vulnerability Types that Threaten Your Software

29, Aug 2023 0

Understand the most common ways that hackers exploit Java applications, and see how MergeBase can protect you from them.

Is Software Supply Chain Security on Your Risk Register? It Should Be

15, Aug 2023 0

Navigate Changing Cybersecurity Landscape: U.S. National Cybersecurity Strategy & SEC Rules shift liability to software firms. Mitigate risk – software supply chain attacks surge. Update your risk register now.

Safeguarding the Java Ecosystem: How to Protect Against Software Supply Chain Attacks

14, Aug 2023 0

Explore the Java ecosystem’s intricacies and discover practical strategies to defend against software supply chain attacks.

4 Signs It’s Time to Upgrade from OWASP Dependency-Check (and How to Make a Strong Business Case)

10, Aug 2023 0

Dependency-Check is a free SCA tool—but it has its limitations. Here’s how to make the business case to upgrade to a premium SCA solution.

SEC Cybersecurity Rules - The Game-Changing 4-day rule for Reporting

01, Aug 2023 0

Discover SEC’s cybersecurity rules, requiring timely disclosure of material incidents. Stay compliant and safeguard your business w/ MergeBase’s solutions.

The latest software security intel | July 2023

30, Jul 2023 0

Get the latest intel you need to respond to cyberthreats with Gartner’s report.

Case Study: Full-spectrum DevSecOps for Software Supply Chain Security

29, Jul 2023 0

How we were able to satisfy the Dev and Ops requirements while integrating security into the whole process of our large financial institution client.

Mergebase Recognized Among Top 15 Cyber Security Startups by Canadian Venture

20, Jul 2023 0

MergeBase is proud to announce that it has been named a Top 15 Cyber Security Startups by Canadian Venture News, reputable platform known for its keen eye for identifying promising ventures in Canada.

MergeBase Welcomes Kelly West as New Chief Technology Officer

18, Jul 2023 0

Vancouver, Canada - July 18th - MergeBase, a leading provider of secure software solutions, is thrilled to announce the appointment of Kelly West as their new Chief Technology Officer (CTO). With over two decades of experience in digital and technology-driven products, Kelly brings a wealth of expertise to the company and will play a crucial role in driving its growth and innovation. As a seasoned product leader, Kelly has an impressive track record of developing successful strategies and achieving dominant market shares for SaaS products. His deep understanding of the challenges associated with providing highly available, robust, and secure SaaS offerings makes him an ideal fit for MergeBase’s vision.

Get full Java coverage with Ant, Gradle and Maven

16, Jul 2023 0

Java engineers, why only get Maven protection if you can get build tool protection for all three? Build with the tool you prefer.

The Top 10 High-Risk Java Security Vulnerabilities, and How to Fix Them

07, Jul 2023 0

Get to know the most commonly searched high-risk Java CVEs in our vulnerability database.

8 Practical Ways to Improve Your Software Supply Chain Maturity

06, Jul 2023 0

As the threat of third-party vulnerability exploitation increases, board members need to take measures to keep their applications safe.

Understanding the Different Standards of SBOM and VEX

04, Jul 2023 0

Gain insights into the standards of Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX). Discover how VEX helps vendors and buyers identify vulnerabilities.

The latest software security intel | June 2023

30, Jun 2023 0

Don’t get out of date, here’s all your app security news in one place

Not all SBOM Generation Tools are Created Equally

29, Jun 2023 0

There are significant differences in the features, capabilities, and quality of different SBOM generation tools. Here are some crucial factors to consider when selecting an SBOM generation tool

All About SBOMs

27, Jun 2023 0

Are you looking to better understand a Software Bill of Materials (SBOM) and why it’s essential for your organization? Then you’ve come to the right place!

Introducing Vulnerability Exploitability eXchange (VEX): A Solution for False Positives

22, Jun 2023 0

Robust software security is crucial for safeguarding data and protecting companies. However, false positives in vulnerability detection often lead to inquiries about non-threatening issues. To address this, the groundbreaking solution VEX integrates with SBOM for effective resolution.

How to Manage Your Vendors’ SBOMs with MergeBase

20, Jun 2023 0

Get a tour of the perks and benefits of managing your vendors’ software bill of materials documents through MergeBase SCA.

SBOM Management with MergeBase: The Software Vendor’s Guide

15, Jun 2023 0

Get a tour of the perks and benefits of managing your software bill of materials documents through MergeBase SCA.

Software Bill of Materials (SBOM) in a Nutshell

13, Jun 2023 0

Software security should be a top priority for companies in the face of rapidly evolving cybersecurity threats. Implementing an SBOM is a proactive step towards reducing vulnerabilities and enhancing transparency in software applications.

The latest software security intel | April 2023

30, Apr 2023 0

Don’t get out of date, here’s all your app security news in one place

The latest software security intel | March 2023

30, Mar 2023 0

Don’t get out of date, here’s all your app security news in one place

Vulnerability Remediation and Mitigation: Overviewing the Realities of Runtime Application Security

07, Mar 2023 0

Vulnerability remediation is the process of finding and fixing security vulnerabilities in your systems—and it’s an especially important discipline in the world of software supply chain security.

Snyk vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

02, Mar 2023 0

Snyk is the most well-known (and widely marketed) SCA tool in the cyber security industry today—but your application’s security shouldn’t be settled by a popularity contest. Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Snyk and MergeBase on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.

Black Duck vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

01, Mar 2023 0

Ten years ago, Black Duck was the go-to SCA solution—but in today’s rapidly-changing cybersecurity environment, older doesn’t mean better, and it’s important to understand how industry leaders stack up against

Mend (formerly WhiteSource) vs. MergeBase: A Side-by-side Software Composition Analysis Tool Comparison

28, Feb 2023 0

In May of 2022, longstanding SCA solution and leader in application security WhiteSource rebranded as Mend. Mend is still one of the most widely used SCA tools in the cybersecurity world and a common candidate when companies consider a new SCA solution—but is it right for you? Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Mend and MergeBase on five capabilities that companies find most important when choosing an SCA tool.

Patching takes time, sometimes forever.
What can you do now?

20, Feb 2023 0

The majority of software supply chain attacks involve Java-based systems. However, the complexity of third-party libraries, which often make up 80-90% of applications, makes them hard to scan, review and analyze. This is where MergeBase’s Dynamic Application Surveillance and Hardening (DASH) comes in as a unique capability in the industry.

WAF + Java Runtime Protection = Massive Attack Surface Reduction

20, Feb 2023 0

For twenty years now, the web application firewall (WAF) has been our first line of layer 7 defense against cyberattacks on our Internet-facing applications. While far from perfect, the WAF has undoubtedly protected many insecure and legacy applications from getting owned despite their loose security postures and deprecated third-party components. But in today’s fast-changing world with never-ending software supply chain security vulnerabilities, solely relying on your WAF and its team of support engineers to properly catch every CVE relevant to your application is a strategy for failure. Tactically speaking, it is simply not realistic. Supply chain attacks on open source software grew 650% in 2021.

Black Duck vs. WhiteSource (now Mend) vs. MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

18, Feb 2023 0

When it comes to choosing an SCA solution, any responsible decision maker should consider Black Duck and Mend (formerly WhiteSource). Black Duck has been around longer than any other player

Snyk vs. WhiteSource (now Mend) vs.  MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

16, Feb 2023 0

No other major player has been in the SCA game longer than Mend (formerly WhiteSource), and Snyk is the most widely known SCA solution in the cybersecurity world. If you’re considering SCA options, you need to be familiar with both of these tools—but are either of them right for you? A purpose-built solution may be a better fit than an older or more popular tool. Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart.

Reduce 3rd-party Risk Proactively with Dynamic Application Surveillance and Hardening

15, Feb 2023 0

MergeBase’s Java Runtime Protection provides visibility into the libraries and methods an application uses, giving a proactive way to monitor, analyze and block potential vulnerabilities. Find more here.

Snyk vs. Black Duck vs. MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

14, Feb 2023 0

Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. This comparison evaluates Snyk, Black Duck, and MergeBase on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.) Snyk vs. Black Duck vs. MergeBase: a side-by-side comparison We measured these tools’ competencies in the five most critical areas where a quality SCA tool needs to perform.

You got yourself a free trial! Now what?

31, Jan 2023 0

You got yourself a free trial from MergeBase here; you’ve validated your existence and are now in your dashboard. Now what? Well, that’s a good question. There are 2 aspects to wrap your head around regarding the Mergebase system. Understanding the dashboard Understanding how to scan your applications to the dashboard This blog post will concentrate on getting that first scan successfully completed; then, we’ll look at the dashboard in detail in the next post. Free Trial: First steps The first thing to conquer is seeing if you have java installed and, if not, installing it. Baeldung has a great page about checking to see if you have it installed here: Baeldung, and a good page on how to install java lives here: How to Install.

MergeBase, CI/CD Pipelines & You

27, Dec 2022 0

CI/CD Pipelines are the way of the present. They allow for repeatable, predictable actions & results, which, while boring for real life, is great for your

Suppression Management: How to Balance Software Supply Chain Security with Practical Business Goals

19, Dec 2022 0

In an ideal world, you would only ever ship immaculately secure versions of your software—free from all known vulnerabilities. However, you’re not building software in an ideal world: the security of your product is just one of many factors that affect what you ship and when you ship it. Budget constraints, talent gaps, operational schedules, and good old-fashioned customer deadlines also come into play—which means software companies often need to sacrifice short-term cybersecurity perfection for the sake of long-term product (and business) viability. This happens in every area of life, not just software. We prop the front door ajar while moving heavy boxes in or out of the home.

What is the best Java Scanning tool?

16, Dec 2022 0

Java is one of the most popular languages in software development—which means hackers are always trying to exploit what vulnerabilities they can in Java libraries. That’s why it’s important to find tools that allow you to scan your code for known vulnerabilities.

Software Supply Chain Implications for Zero Trust

30, Nov 2022 0

Discover fundamental concepts, definitions and implications of Zero Trust. And FINd out how Zero Trust intersects with application security, SBOM, and software supply chains.

6 Predictions for the Future of SBOM and Software Supply Chain Security

04, Nov 2022 0

In the past few years, software supply chain security has become a topic of interest for governments and regulators thanks to enormous breaches (like log4j and SolarWinds).

When Container Scanning Falls Short

02, Nov 2022 0

Are you relying on your container scanning to secure your applications? You might be exposed! Containers have taken IT by storm. They increase delivery speed and stability. To secure them, you just run a scanner, right? Perhaps… Metal detectors cannot detect plastic explosives. Similarly, many container scanners (e.g., Quay, Docker Hub, and even Snyk) are unable to detect the most vulnerable libraries inside Docker containers or Kubernetes clusters. Do you want to know what your container scanner might be missing? Watch this live streaming event with the heavyweight security expert Julius Musseau where he highlights the issues and presents solutions. Learn about the typical container scanning short falls.

OpenSSL Will Issue a Patch for a Critical Vulnerability on Nov 1st.

31, Oct 2022 0

OpenSSL has classified an upcoming issue as critical severity as it affects common configurations and can be exploited (CVE-2022-3602). So far (it’s October 31st right now as I type this blog post), they are not saying anything else. It is mostly a Linux package, so here is what you should do tomorrow: Ubuntu/Debian users should run “apt update” and “apt upgrade,” Redhat/Amazon/Fedora/Suse users should run “yum update,” Alpine users should run “apk update” and “apk upgrade.” Any Docker containers running on base images based on any of the above obviously need to be re-imaged! Typically updates do not require machine restarts, but personally, I would still reboot.

Mitigating Supply-chain and Third-party Risks: What You Need to Know about Bill C-26 and the CCSPA

12, Oct 2022 0

The proposed Critical Cyber Systems Protection Act (bill c-26) could raise security standards for certain organizations in Canada. Here’s how to prepare!

Shift Left Security: Protect Your Dev Life Cycle with Software Composition Analysis

04, Oct 2022 0

A secure software product comes from a secure development process—here’s how to shift left with an SCA like MergeBase

Industry Report: The True Costs of False Positives in Software Security

29, Sep 2022 0

False positives occurs when a scan detects a vulnerability that isn’t really present. These might seem harmless, but they waste time and erode team morale.

Peaks vs. Valleys – Perspectives on Software Supply Chains

22, Sep 2022 0

Real-world supply chains can involve planes, ocean freighters, trains, trucks, and even bike couriers. So it’s no surprise that software supply chains also involve a wide variety of complementary production, distribution, and deployment channels.

Software Bill of Materials (SBOM): The Accurate A Guide to Software Supply Chain Security

20, Sep 2022 0

The SBOM is a relatively new concept, and SBOM practices haven’t normalized yet. This guide helps you understand what it is, what it’s for, and how to use it.

Scanning Ant-Based Java Projects For Know Vulnerabilities with MergeBase

08, Sep 2022 0

Introduction Ant was Java’s original build system. Ant was developed internally at Sun Microsystems around 2000 to help build the original Tomcat JSP server. I vaguely recall learning many years ago that James Duncan Davidson and Jason Hunter (now of JDOM fame) were the main culprits behind Ant. Of course, we’re now in 2022, and Ant has long since been replaced with Maven. But from 2000 to 2010, Ant was very popular. Even today, many projects, especially internal corporate Java projects, still use Ant. Why fix something when it’s not broken, right? Unfortunately, important application security tools for SBOM generation and known-vulnerability scanning currently don’t work with Ant.

The Executive’s Guide to Third-party Liability in Cyber Security Law

06, Sep 2022 0

As cybercrime becomes more sophisticated, governments have begun introducing initiatives to hold regulated industries accountable for their data security. This includes initiatives involving third-party liability, where software companies are held responsible for vulnerabilities that come from external sources. This is an important issue for both software providers and regulated companies using third-party software. Here, you’ll get an overview of what third-party liability is, why it matters, and what you can do to prepare for third-party liability laws. In this article: 1. What is third-party liability in software? 2. The regulatory gap: how third-party liability became so important 3. Third-party liability in cyber security law

Log4J Reunion Tour 2022 !!!

26, Aug 2022 0

Explore the Apache Log4j vulnerability’s impact and lessons in cybersecurity, with expert insights, tools, and advice for software stakeholders.

What are the Best Tools for Generating SBOM (Software Bill Of Materials)?

15, Aug 2022 0

What are the Best Tools for Generating Software Bill Of Materials? We choose 5 tools for generating SBOM, more or less randomly, and tried them out. Here’s what we found!

API Security – Preventing an API Breach

21, Jul 2022 0

ISt goes without saying that APIs are deployed everywhere. For instance a website click quickly initiates a dozen REST calls directly from your browser and another dozen behind the scenes

OWASP Top Ten #1 Worst Problem: Poor Access Control

04, Jul 2022 0

Access control is the biggest problem in Application Security. Find out what industry experts have to say about it and how you can protect your applications from it.

How To Avoid Catastrophic Cryptographic Failures In Your Apps

08, Jun 2022 0

Danger, Cryptography Ahead! The latest OWASP Top 10 ranks “Cryptographic Failures” as the 2nd worst security problem currently facing software engineers today. As the very recent (and very serious) CVE-2022-21449 shows – this problem never goes away! It’s hard for software practitioners to stay up-to-date because new critical cryptographic weaknesses and configuration disasters are discovered and disseminated every year, and seemingly tiny benign mistakes can be game over. In this webinar AppSec experts Jim Manico (OWASP Top Ten contributor), Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will discuss why this is the case and offer the best practices and resources for developers trying to avoid such failures in their own systems:

OWASP ASVS: your balanced appsec diet

12, May 2022 0

Build strength, fitness and peace of mind! In this webinar, application security heavyweights Jim Manico (OWASP Top Ten contributor), Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will talk about the best thing that can happen to you if your application security team is overwhelmed, overworked and over-worried. What you will learn in this section: Are you thinking of establishing a balanced appsec process, or are you looking at fine-tuning your existing process? The first application security standard by developers for developers! That defines three risk levels with 200+ controls. And gives you a similar value to ISO 27034 for a fraction of the hassle.

I was asked: Are your application secure?

04, May 2022 0

Five hours of googling later I realized that the concept of an application secure was in fact ephemeral. Is anything, anywhere safe?

How to Deploy an Effective Application Security Testing Toolset?

15, Apr 2022 0

In this webinar, application security experts will go over best practices for rolling out an effective Application Security Toolset to your software development and security teams.

MergeBase Successful Seed Raise

22, Mar 2022 0

Will cybercrime cause $1 trillion in damage to an already-vulnerable economy by 2022? Not if MergeBase Software Inc. has anything to do with it. The company has just announced a successful seed raise of $500,000 in funding for its best-in-class cybersecurity product — helping it ramp up sales and distribution. The funding round officially closed on March 19, 2022. “I’m impressed that during this unprecedented crisis, business leaders and investors are able to ‘keep calm and carry on, continuing to invest in leading-edge technology to solve critical problems like cybercrime,” says MergeBase CEO Oscar van der Meer. The current COVID-19 crisis and social distancing measures will only accelerate the move to a fully digital economy.

When Dependabot Is Worse Than Nothing: Log4J As A Sub-Dependency

16, Mar 2022 0

Learn how to use dependabot GitHub’s built-in security and avoid the pitfalls. Such as not being able to find transitive dependencies like log4j.

OWASP Top 10 2021 Explained

10, Mar 2022 0

The alarming escalation to 40% of data breaches originating from application layer vulnerabilities represents not just a statistic, but a clarion call to the industry. This figure marks a significant increase from the 24% reported merely two years prior, underscoring an urgent need for a strategic focus on application security. Obviously, it is time to pay attention to application security. The Open Web Application Security Project (OWASP) will give you a running start with their OWASP Top 10. What is the OWASP Top 10 list? The OWASP Top 10 is a pivotal awareness document for web developers and professionals engaged in web application security.

How to Instantly Secure Log4j

28, Dec 2021 0

The log4j vulnerability was announced on December 10, 2021, and ranks as one of the worst in history. How to secure log4j? The best resolution is to upgrade to a secure version. However, sometimes that is not possible, or at least it takes time. In these scenarios, runtime protection for log4j or other vulnerabilities can be a lifesaver. In organizations that have hundreds or thousands of applications, it can take days or even weeks of an all-out effort to upgrade these applications. Or it could be that the vulnerable applications are supplied by a vendor, and the vendor does not have a fix immediately available.

Critical Java Log4j Vulnerability

10, Dec 2021 0

What can go wrong with a tool that just logs messages to a text-based file? Nothing right? Suddenly on December 11, 2021, we were all exposed to the log4j vulnerability,

Don’t Let Third-Party Vulnerabilities Run Wild

04, Oct 2021 0

You’re leaving up to 90% of what you run exposed to threats. Today’s software and applications are predominantly built with third-party components. Don’t let third-party vulnerabilities run wild! It isn’t enough to analyze your own code–your Software Composition Analysis (SCA) tools need to also consider any third-party components used by your offering and services. Learn what you can do to not let third-party vulnerabilities happen How to ensure your DevOps and DevSecOps teams are equipped with the tools they need to identify new threats How to integrate remediation tools and processes that consider your entire CI/CD pipeline and code in production How to develop and implement a complete and accurate software bill of materials (SBOM) process for your code and third-party software How to apply a mechanism for obtaining detailed reports on risk and suppression The Growing Influence of Open Source Components: Over the past 15 years, the development of software has seen a significant shift towards utilizing open source components and libraries.

Scanning a firecracker microVM with MergeBase

14, Sep 2021 0

Firecracker microVM is a virtual machine monitor that allows you to create and manage microVMs. It leverages the Linux Kernel-based Virtual Machine (KVM) and utilizes a minimalist design for increased security. As firecracker microVMs do not include unnecessary devices and guest functionality, they provide a reduced memory footprint and attack surface area. The firecracker architecture is used by and integrated with several infrastructure solutions such as appfleet, containerd, fly.io, and OpenNebula. In this article, we will be building a firecracker containerd microVM and scan it for any known vulnerabilities with MergeBase. In this article:

1. Building a firecracker microVM

• Install the latest version of Go

Ubuntu Docker Container Scanning – Is it enough to protect your app?

28, Jun 2021 0

In this post, we are going to look at Docker container scanning: First, we will build an Ubuntu Docker container, add some software to it, run a Docker scan, and record the vulnerabilities. Then, we will try to resolve some of those vulnerabilities, run another scan, and examine the results. Finally, we will determine whether container scanning is enough to protect your applications and data from compromise. Building the Docker Container We will build our Ubuntu Docker container using the Ubuntu Xenial image. Since it is a few versions behind, it will hopefully contain a few vulnerabilities. We are also going to install Python, PIP3, and a vulnerable version of urllib3.

Container Security Tools Comparison for Vulnerability Scans

17, Jun 2021 0

Recently, we took on a new challenge: compare 5 popular container security tools, including our solution. We wanted to see how the products stack up against each other. How did

“Enhance software supply chain security,” says White House

13, May 2021 0

Software supply chain security is a common theme in recent attacks such as on the Colonial Pipeline and SolarWinds. In response, President Biden released an executive order to improve the nation’s cyber security. The order is a testimony to the importance of the digital ecosystem today to our society, economy and way of life. Cyber security is critical in protecting it, and the President’s clear message is that we need to do more. The government wants to improve its own cyber security practices and related agencies. It also proposes to remove barriers to information sharing and enhance software supply chain security.

What is a Supply Chain Attack?

06, May 2021 0

A supply chain attack leverages the access of an external partner or provider to gain unauthorized entry to a system or network. It takes advantage of the inherent trust a target has in its suppliers, using it to infiltrate and launch the cyber-attack. Its use of stealth and its indirect ‘trusted’ approach make a supply chain attack an effective weapon in any threat actor’s arsenal. Every organization and individual relies on third-party software in some way or another. When we install software, hardware, or use code from a trusted source, it is natural to assume that it hides no malicious intent.

Open Source Risk: Plugging the Hole

15, Apr 2021 0

Open source refers to a type of software whose source code is made available to the public for use, modification, and distribution, introducing certain open source risks. This source code is typically developed and maintained collaboratively by a community of contributors. However, it comes with risks, particularly around security vulnerabilities and licensing issues, which are inherent aspects of open source risk. This guide delves into the intricate world of open source software, tracing its origins from a niche concept to a cornerstone of modern digital infrastructure. We’ll explore the transformative journey of open source, its widespread adoption by industry giants, and the unexpected challenges it presents to today’s business leaders.

A Critical Look at Cyber Security Investment

31, Mar 2021 0

Cyber defense is a global whack-a-mole game with hundreds of billions of dollars being invested in offensive and defensive capabilities. After you invest in one area another area of risk

Software Composition Analysis (SCA) vs. Java Über Jars

05, Feb 2021 0

Introduction Über jars are a type of reuseable Java library that applications sometimes (knowingly or not) incorporate into their systems. Über jars are particularly challenging for software composition analysis (SCA) tools to understand because their structure and organization are complex. In this blog post, I explain what über jars are and why they exist, and I provide a mini-benchmark to see how current SCA tools deal with this type of Java library.

1. TLDR 2. Background
2. Why would anyone create an über jar in the first place?
3. Über jars are a challenge for SCA
4. Quick Competitive Check

Scanning .NET and NuGet projects for known vulnerabilities

03, Sep 2020 0

Are you scanning .NET and Nuget software for security vulnerabilities accurately? We have tested 7 tools! Find out more with this comprehensive comparison.

Introducing CodeGreen for Bitbucket

06, Jul 2020 0

In this post, you will learn how to improve your application security within hours after you install CodeGreen at your local Bitbucket administrator. _Recommended pre-reading: _Intro to SCA – Software Composition Analysis (mergebase.com) Atlassian Marketplace Link: MergeBase CodeGreen (marketplace.atlassian.com) Introduction One of the main challenges with known vulnerabilities is how they mess with standard software lifecycles. A lot of traditional quality engineering relies on the old saying, “if it’s not broken, don’t touch it.” Known vulnerability announcements for popular open source libraries completely go against that since they are discovered and announced more or less at random. A good known-vulnerability SCA solution needs to deal with three very different cadences through which known vulnerabilities will manifest themselves in your software:

The “Upgrade Problem” with Open Source Software Vulnerabilities

04, Jan 2020 0

Why do we need a Software Composition Analysis tool against open source software vulnerabilities? Well, that is a long story: Commercial and industrial software is now primarily constructed from components. Open source components, to be exact. Open source software licenses dramatically decrease business frictions that arise from incorporating and integrating software developed by external entities. No more contract negotiation or in-house legal review! Add to this the fact that many software use cases are more or less identical across systems: HTTP connectivity, encryption, spell checking, transaction management, database object mapping, unit testing, etc. The end result is predictable: in less time than it takes to read the 2-clause BSD open source software license, your developers are copying externally developed software libraries into your proprietary systems.

Preventing Git Rebase Fights

04, Jun 2018 0

In this article: 1. What’s a Git Rebase Fight? 2. Solution: Optimistic Build Status Propagation 3. What Causes Git Rebase Fights? 4. Triple-Dot-Diff and “git patch-id” What’s a Git Rebase Fight? Have you ever experienced this situation?

1. You go to merge your PR (pull-request), but the PR says it must be rebased before you can merge.
2. You rebase it, which kicks off a new build. But the build must complete before you’re allowed to merge.
3. The build completes! Yay! But while you were waiting, someone else managed to merge their PR, updating origin/master with their work. Uh oh!

Git V: An Optimal Git Branching Model

04, Jun 2018 0

In this blog post: Primary Mechanics of Git V Off Stage Mechanics How To Implement Git V How To Implement Git V with Bitbucket Server Git V – FAQ Comparison: Git V vs. Git Flow Comparison: Git V vs. Release Flow (Microsoft) Comparison: Git V vs. Linux Branching Model Introduction Git V is a branching model. In other words, it’s a way for teams of humans working in parallel on software to serialize their work into useful and organized streams of commits. At a high level, Git V divides work into two primary streams: destabilizing work (master) and stabilizing work (release branches).

DOING GIT PULL WRONG

07, Mar 2018 0

Too much fun with “git pull –rebase” Note: this article refers to “git pull -r” and “git pull –rebase” interchangeably. They are the same command, except the merge-preserving variation can only be specified via the long form: git pull –rebase=preserve In this article: 1. Investigating ‘git pull –rebase’ 2. The Experiment 3. Preconditions 4. Conclusion: Time To Revise The Golden Rule Introduction I’ve long known that “git pull –rebase” reconciles the local branch correctly against upstream amends, rebases, and reorderings. The official “git rebase” documentation attests to this: ‘Note that any commits in HEAD which introduce the same textual changes as a commit in HEAD.

Load More