That’s why we’re excited to announce a new version of Mend for Containers. This set of features allows you to scan container images and registries at scale, provides runtime vulnerability prioritization for Kubernetes clusters, and protects cloud-native applications from vulnerabilities and license risks throughout the SDLC – from code to cloud.

Mend for Containers is built to help your DevSecOps team:

Identify threats faster. There’s an old adage that goes something like: in cybersecurity, the early bird doesn’t get the worm. Identify threats before deployment, when security concerns are cheaper and easier to address. With Mend for Containers, your team can scan while images are still in production and trace vulnerabilities in security images back to their source repository to pinpoint their origin and accelerate the remediation loop.

Prioritize remediation. DevSecOps teams when they hear Jay-Z has 99 problems: must be nice. Get the biggest bang for your security buck by fixing what counts the most. Mend for Containers includes EPSS scores so you can understand your container risk at scale and  prioritize vulnerabilities.

Enforce your policies. Your house, your rules. Great security policies are key to keeping organizations safe but they don’t do any good if they’re not enforced. Mend for Containers gives you greater control over your policies and lets you automatically allow or reject container images based on their level of risk, preventing your team from deploying container images that don’t meet production standards for quality and security.

Discover license dependency issues. Oi, mate, you got a license for that software? Keeping track of open-source license compliance can be a headache even on smaller projects and, unsurprisingly, that headache scales. Mend for Containers includes license detection to help you discover dependency license issues introduced in operating system packages.

Keep your secrets safe. Secrets aren’t secrets if you tell everyone. Mend for Containers includes secret detection for container images so you can ensure secrets are appropriately stored before deployment and prevent supply chain attacks.

Stay secure across the entire SDLC. An ounce of prevention is worth 300 bitcoin of cure. It’s been proven time and time again that a holistic attitude is the most effective risk reduction approach for cloud-native applications. Mend for Containers helps you find and remediate risks as they are introduced, including protection from vulnerabilities introduced after pipeline AppSec scanning is complete and Kubernetes (k8s) cluster monitoring of images at runtime. This means visibility on what is actually running, allowing for better prioritization and the ability to maintain high security standards throughout the SDLC, even post-deployment.

Navigating application security for cloud-native software is complex business, and we’re here to help. Mend for Containers is a robust set of enhancements that brings our leading detection and prioritization capabilities to container images and registries, assisting you and your team in reducing risk across the SDLC.

To maintain robust application security, it’s critical for developers and security teams to keep pace with a rapidly changing code base full of open source components – but how can they be confident that they’re doing so? Now, Mend.io has the answer, with enhancements to Mend SCA that allow you to enjoy a completely automated process of updating open source packages along with the highest confidence that these updates will be successful.

Let’s take a look at the problems this enhancement addresses and how it helps you maximize your confidence in your open source security.

The challenge

Developers and security professionals all agree that applications are more secure when they are using up-to-date dependencies, but it is a task that is easier said than done. That’s partly because dependencies are becoming more numerous and updates have become more frequent, with no sign of the trend reversing. As the number of dependencies and potential updates soar, manual methods become increasingly unworkable, requiring “triage” that ignores many updates and begins to accumulate security debt in the form of out-of-date dependencies.

Automated testing and remediation go a long way toward alleviating this problem. Tools like the Mend Renovate bot ushered in an era of “dependency automation” and have been adopted by many high-performance development teams. However, even with project-level automation, staying up to date can still take significant developer time. Teams with projects lacking a strong test suite may feel uncertain about updating dependencies, therefore becoming increasingly out-of-date compared to others.

Furthermore, most applications don’t have a level of testing that is good enough to rely on automated testing and deployment. Even if they do, most companies don’t test the inner workings of external dependencies. As such, it can be hard to trust whether an update to an external dependency will break the application. This leads to manual testing, which adds developer overhead and slows down the process of updating dependencies.

With the large number of updates that can be generated by Renovate, it can be overwhelming trying to manually test and deploy all the updates. Existing grouping mechanisms can help, but don’t eliminate the problem of untrusted updates, which can cause an entire group of updates to be useless.

Consequently, projects tend to fall behind on dependency updates through a combination of a lack of confidence in project tests, and a lack of resources to review updates, and in doing so, the risk of future security problems increases.

The need

So, clearly what Mend.io customers need is something that simplifies and accelerates the process of updating dependencies. It has to be easy to use so that developers will be happy to adopt it, and it has to make life easier for them by facilitating their ability to accept updates and apply valuable fixes to security issues, as quickly and as easily as possible. Such a solution will result in a better application security posture because it will:

• Save significant time and resources for projects which have already embraced dependency automation
• Lower the barrier to entry for other projects to adopt dependency automation
• Bring you up-to-date with dependencies, which is the best way to be prepared to respond to open source security vulnerabilities

The solution: Mend SCA – Now with Smart Merge Control

Mend SCA now addresses these concerns by allowing developers to manage updates based on a “merge confidence” value, which expresses the confidence that Mend.io has that a given update will merge into an application without breaking a build.

This confidence value is crowd-sourced from the large number of developers who are using Mend Renovate, the world’s most popular automated dependency update bot, and is generated by monitoring the success of pull requests that contain each specific update. The idea is that a bad update will fail for a statistically significant number of projects, and Mend.io can mark the update with “Low” confidence. Updates that repeatedly merge successfully will generate a merge confidence of “High” or “Very High”. And those updates that are quite new, or for which we don’t have enough confidence data, are marked as “Neutral”. Over time, as more data is gathered, the confidence moves away from neutral and stabilizes on either low, high, or very high.

Mend.io is the first company to allow users to define Smart Merge Control based on crowd-sourced information to provide near real-time information about whether dependency updates are likely to break a build. This is the first time users will be able to manage updates based on their confidence level. Other vendors can provide information about the CVEs in an update, but none can advise whether the update will merge easily with a codebase.

This is yet another first for Mend.io. We were the first company to offer automated pull requests for open source vulnerabilities. We were the first to provide reachability path analysis. Now we are the first to completely automate the process of updating open source packages with confidence that the updates will be successful.

The benefits of Smart Merge Control

The MCW enhancement makes it easier to keep open source software packages up-to-date. It’s significant for developers because it allows them to leverage Mend.io’s Merge Confidence scoring to reduce the amount of effort it takes to stay up-to-date. Even a small application can easily utilize a large number of open source dependencies that require regular updating. Without information about whether an update can be trusted, each update must be tested. Using Smart Merge Control, a developer can filter for just the most trusted updates and have them automatically applied. This significantly reduces the burden for developers to maintain good dependency health for their applications.

From a security perspective, it’s another tool in the fight against hackers. By making it easier to accept updates to dependencies, MCW results in applications more frequently receiving security fixes, and as it increases the adoption of updates, applications will become more secure. It also means that updates will be applied sooner, so attackers have less time to exploit each discovered vulnerability. Plus, the resulting reduction of technical debt means security managers will feel more confident that developers can quickly react to any urgent vulnerability announcement that might happen in the future without breaking their applications (which is, of course, bad for business). 

At a glance, MCW’s key benefits for users are:

MCW takes Mend SCA automated dependency updates to the next level

For several years, Mend SCA has been the gold standard for open source security. Our main focus has been on detecting vulnerabilities and helping developers very efficiently remediate them. In recent years, we pioneered capabilities such as automated pull requests, scan on commit, reachability path analysis, and many more. Our ability to integrate with DevOps tool chains (also known as DevSecOps) has won us the business of many large customers. And recently we published research showing that customers who integrate Mend SCA with their code repositories reduce their mean time to remediation (MTTR) by 74% and fix three times as many vulnerabilities in any given time period.

Now, we are raising the bar for software composition analysis by adding automated dependency workflows to Mend SCA. We believe this provides significant security value, even though many dependency updates have nothing specifically to do with vulnerability management. 

The easier it is for developers to update the dependencies in their applications, the more updates an application will receive – and the less security debt will be accumulated due to out-of-date components. Automation overcomes the time-consuming and onerous process of manual dependency testing.

Mend SCA now offers a rich set of capabilities that allow developers to configure how updates are delivered, helping them to manage this otherwise daunting task of maintaining dependency health. 

The AppSec Risk Assessment Program pairs organizations with a Mend.io cybersecurity expert who will scan their applications, evaluate their risk, and provide prioritized remediation advice based on the most serious sources of risk present in their applications. 

Leveraging Mend.io’s SAST (static application security testing), SCA (software composition analysis), Supply Chain Defender, and Renovate technologies, the assessment has a holistic perspective that allows organizations to prioritize risks from multiple sources.

The Mend.io AppSec Risk Assessment Program can evaluate a range of risks, including:

• Open-source vulnerabilities (CVEs), including critical vulnerabilities
• Custom code weaknesses
• Out-of-date dependencies, including components that are more than three versions out of date
• Malicious packages—also known as open-source malware—an emerging area of risk with serious potential for exfiltration of confidential data
• Open-source licensing issues that could present costly legal risks

During the assessment process, the cybersecurity expert from Mend.io will offer suggestions for prioritized remediation to quickly reduce risks in the application being assessed. After the assessment period is complete, organizations will receive a comprehensive overview of the risk assessment results, including remediation advice. 

The Mend.io Application Risk Assessment Program is available with no cost or obligation to qualifying organizations. 

Shifting left

The traditional, sequential “waterfall” method of security scanning software is logical, but decreasingly efficient when used in rapid modern development pipelines. Scanning for security defects at the later stages of development, when the product is all but complete, is costly and time-consuming if flaws are found and need to be addressed. That’s because developers will then need to return to earlier stages of the development process, to find where the flaw is introduced, and fix it. It’s a cumbersome process that pits security requirements against developers’ priority to ship products fast.

Developers don’t want security to impede development. That’s where shifting left comes in. It involves scanning code earlier in the development process and throughout this process, rather than just at the end, thereby enabling developers to detect, identify, and fix vulnerabilities as they proceed. The fixes are incremental, and therefore smaller and quicker to implement, which makes for a more agile security process that works seamlessly within the software development life cycle (SDLC). And the best place for this to happen is in the repository.

Why scan in the repository?

It stands to reason that a great place to scan software, its components, and their dependencies, is where code sources and software packages are stored — the repository. By doing so, developers can check and fix code earlier and quicker. They can get instant feedback and make changes to their code before any issues get merged. And if this process is fully integrated into their workflow, they can achieve this more easily because there’s no need to switch between user interfaces to conduct security scanning and take remedial action. The traditional barriers of time, effort, and resources that accompany the waterfall methodology are removed, especially when the process can be automated. Prioritizing and fixing problems earlier in development can dramatically reduce the security burden for developers.

Benefits

Scanning in the repository yields the following benefits:

• Ease. The earlier you scan by shifting left, the more incremental and the smaller the changes.
• Speed. When developers get instant feedback, they can act upon it faster and remediate vulnerabilities more quickly.
• Agility. Security processes are integrated into the way developers work. There’s no need for them to switch to different tools and learn a new user interface, so they can scan and take action more decisively and with less friction.
• Automation. When the process is automated, ease, speed, and agility are optimized. Vulnerabilities can be most efficiently prioritized and remediated, without interrupting developers’ workflow or slowing their productivity.
• Overcomes weaknesses of other SDLC integrations. Scanning and testing can be done with browser integration, integrated development environment (IDE) integration, and continuous integration/continuous delivery (CI/CD) integration but there are drawbacks to each.  Usage or policies cannot be enforced in browser and IDE integrations, while scanning at the CI/CD phase is later in the process, making it harder and more expensive to fix vulnerabilities.
• Increases adoption by putting developers first. For developers to embrace security scanning and remediation, it must be as simple and seamless as possible. Scanning at the repository enables them to easily perform these processes within their native environments. They’re less likely to neglect security in the interest of productivity, and they’re more likely to adopt security best practices when it’s made easy for them to do so.

Mend’s native integrations for developers

Mend helps organizations increase developers’ productivity while improving the security of their software and applications. By enabling them to scan applications in the repository as part of their regular workflow, they can keep code and components secure within their environments throughout the SDLC. We offer native integrations for developers that empower them to secure products, faster, and these include integrations with the leading repositories, such GitHub, GitLab, BitBucket Cloud, and Azure DevOps.

With the release of our new Bitbucket Cloud integration in the Atlassian Marketplace, Mend now makes it possible for developers to find and eliminate vulnerabilities, all while staying in their Bitbucket Cloud repositories.

Designed from the start to keep overall burden on developers low, Mend’s integration also scales and deploys rapidly while giving compliance and security leaders highly configurable control over their open source risk.

Instead of requiring a separate security tool, developers now can work entirely within Bitbucket Cloud, keeping their code secure with minimal impact on their workflow.

For organizations using Bitbucket Cloud, repository scanning with Mend’s new integration represents a significant improvement over scanning at a later point in the software development life cycle (SDLC).

“When open source code began to be recognized as a source of risk, organizations started looking to identify that risk in their CI/CD pipelines,” says Jeffrey Martin, vice president of product at Mend. “That still represented a substantial ‘shift left’ from patching code after release. Now, by shifting left even further, into the repository, risks can be detected and remediated earlier and faster.”

When developers commit code to their Bitbucket Cloud repository, Mend SCA scans their changes to identify any newly introduced risks. Martin says those risks can take several forms: “Mend can detect CVEs in direct and transitive dependencies, and it will make sure you know how severe those issues are,” he says. “We can also identify when developers are bringing in code that uses open source licenses their organization doesn’t want to use -– and we can block that code from becoming part of the application before it’s ever committed.”

Using Mend’s rapid rollout capabilities, organizations using Bitbucket Cloud can deploy and start seeing benefits from Mend SCA within hours. Security and compliance teams can reduce risk fast with 100 percent developer adoption, requiring Mend SCA scans on commit and enforcing policies centrally.

Mend SCA also makes it possible to create software bills of material (SBOMs) directly from the repository, ensuring that compliance and security teams have full visibility into all open source components from an early stage of the SDLC. With full visibility into the entire code base and its components, organizations can rapidly discover whether newly discovered zero-day vulnerabilities impact the applications they sell.

According to Martin, the integration was a natural fit. “Bitbucket Cloud’s customers choose Bitbucket because they want to be able to stay in one set of tools consistently,” he says. “We’ve developed this integration to add security and real risk reduction without compromising Bitbucket Cloud’s main value to the developer -– being able to do more without having to constantly switch back and forth between tools.”

In order to use the new Mend SCA integration for Bitbucket Cloud, organizations will need to already have a Bitbucket license, as well as a license for Mend SCA Enterprise (the Bitbucket Cloud integration is not offered with Mend SCA Teams). Contact your Mend representative for more information on making security fast and easy within Bitbucket Cloud.

For more information, contact your Mend representative.