Apiiro unveils open source software toolkit to combat dependency confusion attacks

0

TEL AVIV and NEW YORK, November 9, 2021 / PRNewswire / – Apiiro, the leader in application risk management, today announced the release of Dependency Combodulator, a modular and extensible open source toolkit for detecting and preventing dependency confusion attacks. The Dependency Combobulator helps organizations guard against this type of newly discovered risk, which is on the rise this year as a key driver of supply chain attacks targeting dependencies within software packages. This new solution is an essential part of Apiiro’s multidimensional approach to securing the software development lifecycle to prevent both direct and supply chain attacks.

Confusion of dependencies is compromising the open source software (OSS) ecosystem by tricking end users, developers, and automation systems into installing a malicious dependency instead of the correct one they intended to install, which compromises their software.

Apiiro’s Dependency Combobulator allows a flexible approach to analyze and automate publishing workflows which can be evaluated against different sources such as GitHub packages and can be extended to take into account additional registries such as JFrog Artifactory. Unlike legacy solutions, Apiiro’s Dependency Combobulator, intended for use by the AppSec practitioner, is a python-based toolkit that supports out-of-the-box npm and maven package management schemas, while allowing easy extension into other packages. management systems. It offers improved scalability that allows organizations to quickly adapt to new types of dependency attacks.

The toolkit uses a heuristic engine that works on an abstract package model, providing easy extensibility that allows additional information about individual packages. This depth and flexibility leads to better decision making by application security practitioners and penetration testers.

The Dependency Combobulator is pluggable and can be integrated into an enterprise’s application security program and the release cycle in an automated fashion. It can be connected to multiple interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use cases, and scalable to support others. as addiction attacks evolve.

“In the wake of the security researcher Alex Birsan’s Switching to compromised ecosystems maintained by Apple, Microsoft and PayPal earlier this year, the industry experienced an epidemic of similar supply chain attacks, ”said Moshe Zioni, vice president of security research at Apiiro “We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and scalable enough to combat future waves of confusion-dependency attacks. Tackling this attack vector is essential for organizations to be successful in securing their software supply chains. ”

To learn more, join Moshe Zioni, virtually or in person at Black Hat Europe 2021, where he will discuss and demonstrate the Dependency Combobulator for several speaking sessions, taking place throughout November 10 and 11th.

About Apiiro
Apiiro is the industry’s first Code Risk Platform ™ to provide application risk management with every change, from design to code to the cloud. Apiiro reinvents the secure development lifecycle for Agile and cloud native development and gives organizations a 360 ° view of security and compliance risks across applications, infrastructure, developer insight and impact commercial. Apiiro is supported by Greylock and Kleiner Perkins. www.apiiro.com

Contact:
Kelly Room
RP Offleash for Apiiro
[email protected]

SOURCE Apiiro Ltd.

Related links

http://www.apiiro.com


Source link

Share.

Leave A Reply