Apiiro Unveils Open Source Software Toolkit to Combat Dependency Confusion Attacks


TEL AVIV and NEW YORK, November 9, 2021 /PRNewswire/ — Apiirothe leader in application risk management, today announced the release of the Daddiction Combobulator, a modular and extensible open-source toolkit for detecting and preventing dependency confusion attacks. The Dependency Combobulator enables organizations to guard against this newly discovered type of risk, which has increased this year as a key vector for supply chain attacks targeting dependencies within software packages. This new solution is an essential part of Apiiro’s multi-faceted approach to securing the software development lifecycle to prevent direct and supply chain attacks.

Dependency confusion undermines the open source software (OSS) ecosystem by tricking end users, developers, and automation systems into installing a malicious dependency instead of the correct one they intended to install. which compromises their software.

Apiiro’s Dependency Combobulator enables a flexible approach to analyze and automate release workflows that can be evaluated against different sources such as GitHub packages and can be extended to take into account additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, intended for use by the AppSec practitioner, is a python-based toolkit that supports both npm and maven package management schemes out of the box , while allowing easy extension into other packages. management systems. It provides improved extensibility that allows organizations to quickly adapt to new types of dependency attacks.

The toolkit uses a heuristic engine that works on an abstract package model, providing easy extensibility that allows additional information about individual packages. This depth and flexibility improves decision making by application security practitioners and penetration testers.

The Dependency Combobulator is pluggable and can be integrated into an organization’s application security program and release cycle in an automated way. It can be connected to multiple interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use cases, and expandable to support multiple use cases. others as addiction attacks evolve.

“In the wake of the security researcher Alex Birsan movement to compromise the ecosystems maintained by Apple, Microsoft and PayPal earlier this year, the industry saw an outbreak of similar supply chain attacks,” said Moshe Zioni, vice president of security research at Apiiro. “We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is critical for organizations to successfully secure their software supply chains.”

For more, join Moshe Zioni, virtually or in person at Black Hat Europe 2021, where he will discuss and demonstrate the Dependency Combobulator for several speaking sessionsunfolding throughout November 10 and 11th.

About Apiiro
Apiiro is the industry’s first Code Risk Platform™ to provide application risk management at every change, from design to code to cloud. Apiiro reinvents the secure development lifecycle for Agile and cloud native development and gives organizations a 360° view of security and compliance risks across applications, infrastructure, developer insights and business impact . Apiiro is supported by Greylock and Kleiner Perkins. www.apiiro.com

Kelly room
Offleash PR for Apiiro
[email protected]

SOURCEApiiro Ltd.

Related links



Comments are closed.