How to Boost Confidence in Your Open Source Security with Mend Smart Merge Control
Modern applications are hugely dependent on open-source software. 80 percent of most organizations’ apps and code base is now open source, in some cases more. While this is great for swift development and innovation, it increases the possibility of vulnerabilities arising that bad actors can exploit, and it expands the potential attack surface.
To maintain robust application security, it’s critical for developers and security teams to keep pace with a rapidly changing code base full of open source components. How can they be confident that they’re doing so? Mend.io has the answer with enhancements to Mend SCA that allow you to enjoy a completely automated process of updating open source packages with the highest confidence.
Let’s take a look at the problems this enhancement addresses and how it helps you maximize your confidence in your open source security.
The challenge
Developers and security professionals agree that applications are more secure when they are using up-to-date dependencies, but it is a task that is easier said than done. That’s partly because dependencies are increasing and updates have become more frequent, with no sign of the trend reversing. As the number of dependencies and potential updates soars, manual methods become increasingly unworkable, requiring “triage” that ignores many updates and begins to accumulate security debt in the form of out-of-date dependencies.
Automated testing and remediation go a long way toward alleviating this problem. Tools like the Mend Renovate ushered in an era of “dependency automation” and have been adopted by many high-performance development teams. However, even with project-level automation, staying up to date can still take significant developer time. Teams with projects lacking a strong test suite may feel uncertain about updating dependencies, therefore becoming increasingly out-of-date compared to others.
Furthermore, most applications don’t have a level of testing that is good enough to rely on automated testing and deployment. Even if they do, most companies don’t test the inner workings of external dependencies. As such, it can be hard to trust whether an update to an external dependency will break the application. This leads to manual testing, which adds developer overhead and slows down the process of updating dependencies.
With the large number of updates that can be generated by Renovate, it can be overwhelming trying to manually test and deploy all the updates. Existing grouping mechanisms can help, but don’t eliminate the problem of untrusted updates, which can cause an entire group of updates to be useless.
Consequently, projects tend to fall behind on dependency updates through a combination of a lack of confidence in project tests, and a lack of resources to review updates, and in doing so, the risk of future security problems increases.
领英推荐
The need
So, clearly what Mend.io customers need is something that simplifies and accelerates the process of updating dependencies. It has to be easy to use so that developers will be happy to adopt it, and it has to make life easier for them by facilitating their ability to accept updates and apply valuable fixes to security issues as quickly and as easily as possible. Such a solution will result in a better application security posture because it will:
The solution: Mend SCA – Now with Smart Merge Control
Mend SCA now addresses these concerns by allowing developers to manage updates based on a “merge confidence” value which expresses the confidence that Mend.io has that a given update will merge into an application without breaking a build.
This confidence value is crowd-sourced from the large number of developers who are using Mend Renovate, the world’s most popular automated dependency update bot, and is generated by monitoring the success of pull requests that contain each specific update. The idea is that a bad update will fail for a statistically significant number of projects, and Mend.io can mark the update with “Low” confidence. Updates that repeatedly merge successfully will generate a merge confidence of “High” or “Very High”. And those updates that are quite new, or for which we don’t have enough confidence data, are marked as “Neutral”. Over time, as more data is gathered, the confidence moves away from neutral and stabilizes on either low, high, or very high.
Mend.io is the first company to allow users to define Smart Merge Control based on crowd-sourced information to provide near real-time information about whether dependency updates are likely to break a build. This is the first time users will be able to manage updates based on their confidence level. Other vendors can provide information about the CVEs in an update, but none can advise whether the update will merge easily with a codebase.
This is yet another first for Mend.io. We were the first company to offer automated pull requests for open source vulnerabilities. We were the first to provide reachability path analysis. Now we are the first to completely automate the process of updating open source packages with confidence that the updates will be successful.
Keep reading ?? https://go.mend.io/43NdgNd