From data to discrimination

When we train AI models to answer questions like “who would be a good candidate for this job?”, we have to feed them some existing data to learn from, such as the resumes of people who were good hires in the past and how long they stayed with the company. Sounds straightforward, right? If you want to filter thousands of resumes to get the most likely great candidates, you should look for the qualities present in the resumes of great employees of the past. But if the job happens to be in a historically male-dominated field (hello, tech sector!), the data may teach the AI model that being male is a positive indicator for a good candidate, and being female is a negative one. That’s exactly what happened at Amazon before they scrapped their project.

Resumes for people in technical roles isn’t the only data set that’s lacking in female representation. Much of the data we have about health, including medicine interactions and symptom expression, comes from studies and records that often exclude women. In 1993, the United States Congress mandated women and minority participation in National Institute of Health studies and the U.S. Food and Drug Administration reversed guidelines that excluded women from the early stages of drug trials. Prior to that, almost all health data gathered in America came from men. But even since then, health data parity has not been—and will likely never be—reached. One large source of medical data in the U.S. comes from the U.S. military, and only 17% of members of the armed forces are female. 

Not getting a job due to gender discrimination is a terrible thing, but AI biases in health may end up putting women’s lives in danger.

The main reason women were excluded from health studies for so long was that researchers commonly felt that women’s hormone levels were a variable that would be too cumbersome to account for. They figured it wasn’t worth the effort when they could simply extrapolate data they got from men to apply it to women. But women aren’t just smaller men. Differences between the sexes are more than differences in anatomy, and women’s symptoms don’t always manifest the same way as they do in men. Examples of this include cardiovascular disease (particularly signs of heart attacks) and sleep apnea, where women are often mis- or underdiagnosed because their symptoms don’t show up in a “textbook” way. Those looking to build AI models to assist in diagnosing patients will need to account for this.

Data collected from crash test dummies also leaves women out. In a car crash, women are 17% more likely to die and 78% more likely to sustain serious injury. Some of this disparity is inevitable due to women’s lower bone density and muscle mass, but how much is unknown. Car manufacturers are only required to use the “average male” dummy for testing, which means that safety features like seatbelts and airbags are thus tuned to perform well for men, not women. Although one female dummy exists, it is simply a scaled-down version of the male dummy. It does not account for the differences between men and women in bone structure or bone mass, and represents only the bottom 5th percentile of women by height and weight. Testing with the small female dummy is entirely optional and currently only done by a small number of manufacturers. That means that when we focus AI models on the task of designing safe cars for all, they’re going to need more information than we can give them at this time, or they may just design cars that are safer for men with little to no regard to safety performance for women.

Looking to an unbiased future

There is sometimes a hope that AI can take humans “out of the equation” for some tasks and therefore remove bias, but the unfortunate truth is that because AI is human-built using human-collected data, we can’t truly take humans out of the equation. As we strive for equality, it’s important to remember that bias can be not only simply present in data and repeated, but actually amplified by AI models when deep learning learns outdated notions about men and women too deeply.

The teams building AI models today almost assuredly do not intend to proliferate bias against women. With proper controls and thoughtful training, gender bias in AI models can be alleviated, if not outright eliminated. Governments, research institutions, non-profits, and corporations are all beginning to see a need to improve their processes for collecting meaningful data pertaining to women. With more and better data, improvement is on the horizon for both AI models and their impact on the lives of women.

With this integration, Mend.io offers developers access to the security knowledge database of Secure Code Warrior® to help fix security vulnerabilities in their proprietary code. Whenever a developer commits to the repository the latest changes to their proprietary code, these changes are checked for security vulnerabilities by Mend SAST. For each detected finding, the specific Secure Code Warrior learning sessions and knowledge resources for this vulnerability type can be accessed by the developer with a single click on a link. This enables developers to find, and remediate vulnerabilities faster and more easily. It helps minimize the burden of securing code by integrating security within developers’ existing repository workflow, so that they can stay in an environment with which they are familiar.

What does this integration do?

Integrating with Secure Code Warrior® helps educate developers about security, encourages good practices, and drives their adoption by simplifying and facilitating access and use within developers’ workflow. Our integration empowers developers to understand risks and threats better, prioritize those that need addressing first, and help them take preventative measures before any threats become damaging problems.

“Our goals at Mend.io align with Secure Code Warrior® so it’s a natural integration. We’re both focused on promoting robust application security and making it as quick, simple, and seamless as possible for developers to implement. Together, we can amplify the importance of the organization’s security practices and tools, and optimize their use for a better overall user experience, higher productivity, and faster problem remediation that results in a stronger application security posture.”

Vered Shaked, Mend.io EVP, Corporate Development

Special features

Mend SAST with Secure Code Warrior® is fully integrated within the developer code repository, so that they can perform security procedures from the repo, rather than via links within the vendor web user interface, which is not the preferred environment for developers.   

Our solution focuses on differential results only. This means that developers can address the specific security issues that they introduced with their latest code changes and get the relevant training for them. They do not receive a long list of security issues and training links that are irrelevant and that they will never use. Consequently they can find, learn about and address the security issues relevant to them, faster and more efficiently.

Having it in the repo means that it is done in controlled / centralized way for all the enterprise developers with ability to monitor activity and improvements by managers.

Mend.io’s solution is housed in the repository, which enables it to perform and be deployed in a controlled and centralized way for all enterprise developers, and it enables managers to easily monitor activity and improvements to code.

Benefits

• Awareness: Increases developers’ awareness and understanding of the threats to their code and the vulnerabilities therein.
• Speed: Expedites the ability of developers to find, identify, and fix these vulnerabilities and threats as early as possible in the SDLC, before threats and flaws can become damaging problems
• Efficiency: Optimizes developers’ deployment of AppSec strategies and tools, which strengthens your security posture and enhances the effectiveness and efficiency of your AppSec program
• Simplicity and adoption: Easy to use within developers’ existing workflow, in their code repository, thereby lowering any barriers to adoption and maximizing its potential for use among developers.
• Prevention: Encourages a proactive approach to application security, which preempts and prevents issues rather than needing to respond to those that have already hit your codebase.
• Remediation: Facilitates effective assessment and resolution of detected security problems, enabling a dramatic reduction of software-related risk
• Versatility and scalability: A solution that grows with you, so you can successfully meet complex and large-scale application security needs, as they emerge.
• Productivity: All of the above benefits enable your developers to accelerate and enhance their productivity because the integration will enable them to produce better, more secure software and applications, faster and more confidently. Productivity is also improved by significantly reducing the likelihood of ineffective and inefficient handling of vulnerabilities.

Why is Mend.io launching this integration?

Our mission at Mend.io is to harden your application security and your software supply chain in the most seamless possible ways so you can improve the adoption of security best practices earlier in the software development lifecycle (SDLC). The need to shift security left and shift smart has become increasingly urgent because the volume of software components has expanded massively and deepened in complexity in recent years. This presents a much larger potential attack surface and escalating opportunities for malicious actors to exploit vulnerabilities and attack your codebase with malware.

Shifting left to address these threats requires developers to participate in implementing security strategies by using tools that enable them to do so simply. Successful modern application security can only occur when it’s integrated early into the SDLC and is easy for developers to adopt within their existing workflow. Developers simply won’t use tools that aren’t easy to use or those that require them to interrupt their development cadence, because they’re focused on maintaining productivity.

Mend.io is dedicated to empowering developers to strengthen their software and application security by creating ways to make the process as simple, intuitive and seamless as possible. This new integration of our SAST product with Secure Code Warrior® is the latest way in which we deliver on this promise.

The Leaderboard allows the Mend.io team to leverage and share a valuable resource. There is no better arbiter of package reliability than Renovate, which has gathered crowd-sourced data on over 25 million dependency updates. By analyzing what packages are consistently releasing good updates, we built an accurate picture of a package’s overall reliability for software engineers trying to balance functional risk with the security risk imposed by our increasingly vulnerable software supply chain. 

“The Leaderboard helps shift the AppSec view from detection to prevention, a valuable perspective for reducing the risk imposed by our increasingly vulnerable software supply chain,” said Rhys Arkins, vice president of product management at Mend.io. “Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are.” 

The full report showcases detailed rankings for npm, PyPi, and Maven.

Key findings:

Group runs bring down overall package reliability. 

Any fan of the TV show Survivor can tell you that in competition, groups are often hurt by their weakest link, and the same holds true when it comes to group updates. A group of ten packages is ten times more likely to encounter a failure. 

Release frequency has no effect on average success rates.

You would think that more-frequent releases would improve reliability through faster bug fixes and an engaged maintainer community, but this was not the case. 

Looking across the overall categories, the top three most reliable packages for each language are: 

Npm:

1. prettier-eslint
2. np
3. jest-cli

Maven:

1. org.apache.maven.scm:maven-scm-provider-gitexe 
2. com.github.ekryd.sortpom:sortpom-maven-plugin
3. org.apache.maven.plugins:maven-release-plugin

PyPi: 

1. Pulumi
2. Botocore-stubs
3. types-python-dateutil

Read the full report

According to Gartner, “Magic Quadrant reports are a culmination of rigorous, fact-based research in specific markets, providing a wide-angle view of the relative positions of the providers in markets where growth is high and provider differentiation is distinct.” 

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. By applying a graphical treatment and a uniform set of evaluation criteria, a Magic Quadrant helps you quickly ascertain how well technology providers are executing their stated visions and how well they are performing against Gartner’s market view.

You can read the report here and decide for yourself.

The Mend.io difference: Providing true confidence in risk reduction

Our goal is to enable our customers to deliver secure applications and meaningful risk reduction to the enterprise. To do that, we believe that application security must be as unobtrusive as possible. Pushing developers to focus on security has proven to be a losing battle. Instead, we use automation to build trust and reduce risk by automating the prioritization of cloud-native application risk and its mitigation across the entire software supply chain. We believe this is the most impactful way to reduce the attack surface and deliver a secure application. 

Mend.io is focused on building a new AppSec reality by 2027, where applications arrive into production free of meaningful security risk — and stay that way — without requiring manual labor or effort from engineering teams. Here’s our strategy:

• Automation: Mend.io is focused on providing complete automated remediation workflows for both open source and custom code, conveniently shown to the developer in their normal work environment (the source code repository). This includes high-value Merge Confidence data sourced from the real-world experience of millions of Mend Renovate users, allowing developers to avoid adding unexpected functional risk.
• Protection: We deliver 360-degree protection for malicious packages — blocking them before they can be download and identifying them within existing code bases — powered by the world’s fastest and most accurate malicious package detection engine, which achieved a 100 percent detection rate on Rubygems and a 99.8 percent detection rate on npm over the past two years.
• Trust: Building trust with developers and security teams through Renovate, our crowd-sourced data platform with more than one billion downloads to date. Our automated recommendations to upgrade versions and fix security flaws can be deployed without manual interaction, within native development workflows, and will not break code. We have hundreds of enterprise customers today relying on our automated fix suggestions. We will continue to leverage our expertise and telemetry on vulnerable methods within both our SCA and SAST cloud platform to extend into custom code and provide remediation advice via “auto-correct” for common secure coding mistakes. 

If your application security program could benefit from greater automation and real risk reduction, we’d love to talk to you about it.

Gartner, 2023 Gartner Magic Quadrant for Application Security Testing. Authors Mark Horvath, Dale Gardner, Manjunath Bhat, Angela Zhao, Ravisha Chugh. Published May 17, 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Scaling Software Supply Chain Source Security in Large Enterprises

Rao Lakkakula, senior director of security engineering at JPMorgan Chase, gave a great overview of the extreme complexity involved in securing the software supply chain from the perspective of a large enterprise. The bottom line: while nobody can predict what’s going to happen, companies that proactively plan are better able to respond effectively to critical events. He outlined the following process: 

Understand the software process

Identify entry points into the enterprise where software is ingested, such as open source, purchased software, and third-party developed software.

Look out for shadow application development. It’s a pretty sure bet that people are using stuff you don’t know about.

Monitor integration processes

Validate the security of providers and dependencies of OSS and closed-source components. Use high-quality, valid versions of components from fewer reliable sources.

Why is this important? It’s not that easy to delete vulnerable software once it’s in the system. You risk breaking things if code is deleted or updated. The more you do at ingestion to minimize damage, the better off you are. 

Build comprehensive software bills of material (SBOMs). You need to have a realistic way for finding the next log4j, so build an asset inventory of both vendor software and OSS code, and where they deploy to. Also pay it forward by generating SBOMs for everything you ship to others.

Lakkakula gave a great analogy illustrating the complexity of SBOMs in the enterprise. He started with comparing an SBOM to a Dairy Milk candy bar list of ingredients. But SBOMs in the enterprise are more like a giant candy store that sells a ton of candy from all over the world, some of which is no longer in production. Enterprises are similar: they can bring in OSS software from all over the world, they don’t always know who wrote it, and some is probably no longer maintained.

Secure the internal CI/CD pipeline

Building a secure internal developer infrastructure starts by thinking of security integrity, build integrity, deployment integrity, and so on. This means that any components, dependencies and data are consistent, accurate, trustworthy, and protected from unauthorized modification. 

Automate vulnerability monitoring

Continuously monitor for new vulnerabilities to patch deployed software. Leverage the asset map and SBOM. Build and enforce policies based on your risk appetite.

Get involved

AppSec is a relatively new field and it’s a problem that’s complex enough that no one single company can do it alone. Government sector agencies and groups like OpenSSF, FS-ISAC, SLSA, and NIST often have working groups that are open to the public, so that’s a good place to start.

Telling Fairy Tales to the Board: Turn Attack Graphs into Business Stories

Andy Ellis and Oren Sade of Orca Security gave entertaining advice on how to translate an attack path that security understands into a business story that the board can understand. Key points:

• Drop all the technology phrases. “We have to assume that executives don’t understand these phrases. When they try to build a mental model based on keywords, those are the wrong words for them,” Ellis said.
• Focus. It’s very important to use the smallest argument to spur action.
• If there is a human responsible, don’t throw them under the bus. “Human error is an error in a system in need of redesign,” noted Ellis.
• Management needs to see the line from hazard to fix. If there are two things you have to do, you need to match a fix for each hazard.

Running in the Shadow: Perspectives on Securing the Software Supply Chain

Did you hear the one about a developer, a CISO, and a policymaker who walked into a conference session? This panel discussion featured three different — and important — perspectives on building a secure supply chain. Moderator Jessica Hardcastle of The Register led the panel, which included James Higgins, CISO, Snap, Inc.; Dan Lorenc, CEO and co-founder, Chainguard; and Camille Stewart Gloster, White House Office of the National Cyber Director. Key quotes:

Higgins: “From a CISO standpoint, the issue is easy to identify, just impossible to implement. If you can understand the landscape and where the code is coming from, you’ve solved 80% of the problem.”

Higgins: “Inventory is the most critical thing you can possibly do. What is your code? Where is it stored, and where is it coming from. If you can solve for that, you can solve the rest rather easily. It doesn’t mean I’m protected from something like Log4j, but I can tell the board we know where everything is, and it’s not a problem.”

Lorenc: “This is a developer problem. It’s a code quality and process problem. We have to change the way developers build software.”

Lorenc: “Open source is really complicated. When they grab a piece of code and run npm install it’s the equivalent of picking up a thumb drive in a parking lot and plugging it into your laptop. Nobody wants to talk about this but it is really scary.”

Stewart Gloster: “In open source software, the government should not lead, but we can be supportive: We can get our own house in order. We can invest in cleaning up code. And we could make sure that there is funding for supporting open source software investments.”

The Psychology of DevSecOps

Jennifer Czaplewski, senior director at Target and Kathryn Pimblett, senior cyber manager at A.P. Moller Maersk presented two different psychological approaches to building successful AppSec programs.

The DevSecOp team at AP Moller Maersk uses a three-pronged approach based on the theory of planned behavior to challenge the belief that AppSec is a blocker to efficient application delivery and to increase developer buy-in and collaboration.

The key: Reduce pain for developers and make it fun. “We really leveraged gamification for AppSec training,” Pimblett said. “As it stands, we have almost a third of developers actively engaging in the platform—and it’s all voluntary.”

At Target, DevSecOps uses organizational psychology — how people behave in the workplace — to build a security-minded developer culture. The main tool lies in using psychological contracts to establish standard product security values.

The three contracts: Meet developers where they work, offer end-to-end solutions, and the right way = the easiest way. “Whenever possible, we integrate right into the tools they are using so they don’t have to be interrupted,” Czaplewski said. 

The National Cyber Strategy as a Roadmap for a Secure Cyber Future

This panel of public-sector cyber strategists discussed two fundamental shifts outlined in the National Cybersecurity Strategy: rebalancing the cyberspace defense responsibility onto those most capable of bearing it, and realigning incentives to favor long-term investments over temporary fixes. One key question arose: How can organizations better support open-source software developers and infrastructure? Here’s what the panelists had to say:

Eric Goldstein, executive assistant director, Cybersecurity and Infrastructure Security Agency

“One piece is that we need a model of shared responsibility across the breadth of the OSS ecosystem. We need to make sure that the developers creating and maintaining libraries and packages have the support, resources, and information they need for that project to remain fit for purpose.

We need to know how to prioritize the libraries and packages that are heavily used in critical uses and establish a baseline for good security so it can raise the bar across the world. Because we know that there are many vulnerabilities out there. Example: A shockingly high percentage of Log4j still being downloaded are malicious.

We want to think more about what a package manager can do to create friction and speed bumps to filter and block malicious packages.“

Robert Knake, acting principal deputy national cyber director, Office of the National Cyber Director

“One of the issues is how we are talking about software liability. We want to shift responsibility in bad outcomes from end users to companies that develop that software.

But when it comes to an OSS development strategy, we don’t want to place that responsibility on open-source communities. It does no good if you hold responsible individuals doing this for free on a part-time basis. The question is, how do we create a situation where commercial software developers make better choices about what OSS to use?”

Liesyl Franz, deputy assistant secretary for international cyberspace security, Acting, US Dept of State | Cyberspace and Digital Policy Bureau 

“We can be a coalition builder for various aspects to the extent that we can help carry the message and demonstrate the activities and expertise of team CISA. “

Bryan Vorndran, assistant director at the FBI, noted that the agency is not involved in areas of regulatory action. But he did point out the value of early training on cybersecurity best practices. “We currently have no academic standards for best practices in this area across the US academic institutions. We need to up this farther upstream. “

The draw of a tech career 

Vered Shaked, EVP Strategy and Corporate Development, was attracted to Mend’s leading position in a flourishing domain, as well as the opportunity to lead a long-term strategic journey for the company’s next wave of growth. Additionally, the people-centric approach of CEO Rami Sass was a deciding factor. “Since I tend to value people I work with as a key aspect of any role, when I first met Rami, I pretty much made up my mind,” she said.

For Adi Matalon, software developer in R&D, technology has long been a primary interest.  “I was always passionate about technology because it has the power to improve people’s lives and solve real-world problems,” she said. She discovered coding at school, which led her to become a software developer.

Maria Korlotian gravitated toward a career in technology thanks to the influence of her parents, one artistically minded and the other scientifically minded. “Exposure to both types of thinking sparked my interest in technology,” said Korlotian, who leads a development team of analysts, researchers, and software engineers. “To me, computer science is a mix of logical thinking and creativity. I am also addicted to learning. Technology is a field that is constantly evolving, and you must stay up-to-date with the latest advances.”

The fit with Mend was therefore natural for Korlotian. “Mend uses the most advanced tech stack I have ever seen and constantly pushes the boundaries of what is possible,” she said. “Being at the forefront of technology is incredibly exciting, and it offers a clear path for progression and development.”

Career influences and inspirations

For Shaked, her first boss in a US investment banking firm was a major influence in her career development. “He was a true believer in giving me autonomy. He enabled me to shape my role, explore new initiatives, and grow as much as I wanted to,” she said. “He created an environment in which I didn’t fear to fail.” With his encouragement. Shaked joined the founding team of one of Israel’s leading venture capital firms, which he led. 

Matalon’s studies gave her the opportunity to build an application user interface from scratch, in conjunction with Mend. The results are still being used in production by the security analytics team. Joining Mend was the logical next step to be at the forefront of protecting systems from vulnerabilities and threats.

Korlotian grew up in a village where specific subjects or careers were considered off-limits for girls. In her primary school, computer science classes were gender-segregated. But her parents’ friend taught computer science at another school and encouraged her interest. 

Career highlights

Shaked’s professional highlights include becoming a partner of a leading VC fund before turning 30 and leading the creation of a market category for a digital adoption platform company. “But what I’m personally most proud of is my ability to get back to the high-tech market after three years of giving birth to my three children,” she said. “I returned to a highly demanding position in investor relations for a NASDAQ company and went through a secondary offering with three infants at home.”

Matalon, meanwhile, is proud of the fact that her work was put into production and continues to be used as the company’s technology progresses.

Korlotian takes pride in following her chosen path despite the skepticism she encountered about becoming a mechatronic engineer. “Determination and persistence allowed me to stay true to my goals and make an impact,” she said.

Career challenges

The biggest career challenge for Shaked was accommodating the demands of work and family. “Compromising my career was not an option for me,” she said. “High tech is the most fast-changing industry. To be part of a leading team you have to keep up with everything that is happening. For women, maternity leave and finding the right family-work balance is an ongoing challenge.”

Breaking into the industry is also a big challenge for those starting out in their careers, Matalon observed. “I wasn’t sure if it was the right career choice for me, but luckily I found my first tech job at Mend, and I’m confident that I’m in the right place.” She agreed with Shaked that the challenge is to maintain work-life balance, especially for people with families. She said, “It’s important for a company to understand these needs.”

The speed of change is the biggest challenge in tech, said  Korlotian. “Technology is advancing incredibly quickly, creating a constant need for learning and adaptation. It’s important to embrace this progress.”

Changing opportunities for women in tech

Equality of opportunity is something that begins at home, says Shaked. “My daughter is 19 years old and a sister to 20 and 21-year-old boys. She won’t tolerate any gender stereotypes or discrimination from them, or from her parents, about whether a task is “for boys.” Unfortunately, I feel that many of my classmates at university didn’t realize their full potential. But I think this is changing nowadays because women themselves are more empowered and we certainly benefit from the increasing influence of diversity, equality, and inclusion initiatives.”

Matalon has also noticed a change for the better in the tech sector. “I think that recently companies have strived to create a more inclusive and supportive workplace culture. There are now more opportunities for women to pursue careers in technology,” she said. “There are also more female role models in tech, who can inspire and encourage other women in this field.”

The way people work together has also changed significantly, according to  Korlotian. “When I started my career, access to knowledge was somewhat limited. I learned programming primarily from books,” she said, “and software engineering was an isolated task.” Now it’s more collaborative. “It requires teamwork and interaction with other parts of the organization.” And remote work creates more career opportunities, as people aren’t limited to specific locations.

What tech companies can do to attract and develop talent, especially women

Shaked observes that diversity is critical to developing talent and building innovation. “Women add soft skills that are very important in managing people. Diversity and inclusion of people are driving forces behind a creative discussion and brainstorming that leads to great innovation. I’m proud to be working at a company that has 50 percent of its R&D management roles and 40 percent of its executive management filled by women.”

Matalon advised companies to promote gender diversity in leadership, provide mentorship for women, and offer flexible work arrangements to support work-life balance. “Leaders should actively seek out and promote diversity within their organizations by recruiting and hiring from a broad pool of candidates,” she said.

Korlotian urged companies to embrace people’s different talents to get the best out of their teams. She advised software team leaders to “always take the time to learn and be willing to listen. Highlight the unique strengths and talents in your team. Lead by example and empower people to make decisions.”

Key advice and insights

For people seeking to build a career in tech, Shaked said, “Be passionate enough to seek and learn more than your role. Understand the context, whether it’s a customer use case or the market dynamics, what I call “Zooming out.” Those who make a habit of doing this will gain an extra perspective that I believe is an important driver of success. Her closing insight is “Stay professionally focused. Always seek to add value and go and crush it!”

For Matalon, ongoing learning are key factors for achieving success. “Find a mentor or role model who can guide and support you as you grow in your career,” she advised. “Keep learning, because technology is constantly evolving, so it’s crucial to stay up-to-date with the latest developments.”

Korlotian concluded with a philosophical note that has a real impact in application security: “The shortcut often turns out to be the longest path.”

What does Pride Month mean to you? Miriam: Pride month means being seen, not being ashamed of who I am and hiding my true self as I used to before I came out. It also means fighting for basic rights that are still unavailable for many, such as marriage and children.  Shiri: For me, the meaning of Pride Month has changed I feel like over the years. When I was younger it was mostly about parties and fun, but now that we’re a “proud family” (my wife, a two-year-old boy, and a girl on the way), it’s much more than that. It’s mostly about the legal rights for families like ours here in Israel. It’s about equal marriage and making sure that my partner will be their legal parent and have equality with regards to law.  Finally, it’s very important for me to have authentic representation of LGBTQ families in movies, TV, books etc. so that my toddler doesn’t feel different.  

Why did you choose to work at Mend? Do you feel like you are able to be your authentic self-working here? Shiri: I chose to work at Mend because of the industry, the challenge in product management, and the people. I love the culture here, and I feel I can really be my authentic self. Miriam: I worked with Mend for two years before I formally joined the company, and I liked the people, the atmosphere, and the feeling that my work impacts both the company and the community/clients. Yes, I definitely feel free to be who I am here. It is absolutely “normal in the view,” and I openly talk about my experiences and LGBTQIA+ topics with a variety of people at work, which is fun and amazing to see.   

What does it mean for you to be your authentic self at work? Miriam: It means being more fun, open, and free and being happy in my environment. Which of course raises my motivation as a result of the above said.  Shiri: It means I can tell people about my family, my weekend, and my challenges without hiding anything, and I feel I’m completely accepted and equal.  

What encouraged you to be your authentic self at work – was there an experience, moment, or encounter that prompted this? Shiri: When I first interviewed at Mend, it was important for me to mention that I’m lesbian. It’s similar with every new workplace, just to make sure I work in an environment where this is a non-issue. I completely got this feeling from everyone at Mend, from that first interview to now, after almost four years in the company. Miriam: Frankly, I came out super late at the age of almost 25 because I didn’t want to destroy my parents’ lives. When I came out (they were the first to know) nothing else mattered—once they knew, I was free.  My friends and workplace never bothered me, and it was always a positive experience telling them. My attitude since coming out is that if and when relevant, I will mention my orientation. If anybody feels uncomfortable with it, that’s their problem.  I am who I am, and not afraid nor ashamed about it anymore. 

What advice would you give to an LGBTQIA+ person entering the tech workplace today?  Miriam: Well, the advice is non LGBTQIA+ specific, but I believe that a person should never stay in a place where they can’t be themselves. Always be who you are and choose an environment that lets you be yourself and bloom. Shiri: Just try to be yourself without hiding anything; most workplaces, at least in the center of Israel, are very open and accepting. 

The first Pride celebration was held several months after the June 1969 Stonewall Riots, which were a series of demonstrations by members of the gay and trans community in response to a police raid on the Stonewall Inn, a gay and lesbian bar in Greenwich Village in New York City. Protests began after police officers roughed up patrons and arrested 13 people, including several trans women who had violated the state’s then gender-appropriate clothing statute. The riots are widely considered one of the most influential events in starting the gay rights movement in the United States. 

Thirty years after the first Pride march, in June 1999, President Clinton issued an official proclamation declaring June was now Gay and Lesbian Pride Month. Fifty-two years after the original march, Pride events are now held on every continent, including Antarctica, which celebrated its first Pride month in 2018.

Despite the advances in the gay rights movement, there is still much work to be done.

At Mend, we’d like to show our own Pride and help advance the move toward equality by highlighting some of our favorite open source projects and programs that champion the LGBTQ+ community. Whether you’re a member of the community or an ally, here is a list of our favorite open source projects in honor of Pride month!

The Supernova Project

The Supernova Project is a global effort that aims to help address abuse within the LGBTQIA+ communities. The project empowers queer people around the world who are experiencing domestic abuse by providing a queer friendly platform of information and support. The Supernova Project is an offshoot of the charity Chayn, an entirely volunteer-led organization.

REFUGE Restrooms

REFUGE Restrooms provides a free resource to transgender, intersex, and gender nonconforming individuals in need of gender neutral and other safe restrooms. Just type in your address or use the site’s location services to find a safe restroom nearest you. If you know of a safe restroom you can also submit its address to help others. 

The Queer Map by Qiekub 

This open source project offers both a map and API that connects to community centers and other helpful information for queer people. The word Qiekub is based on a Chinese word that means “you are welcome.” The project’s goal is to design and build the future we want to live in.

Lesbians Who Tech

Lesbians Who Tech is a community of LGBTQ+ women, non-binary and trans individuals, and allies in and around the tech community. This incredible organization’s goal is to encourage more women, people of color, and queer and trans people to get into technology as well as to connect with organizations that support the LGBTQ+ community. Lesbians Who Tech is holding a virtual Pride summit from June 21-25, 2021.

Working toward equality

We continue to celebrate Pride month here at Mend by promoting a culture of inclusivity and equality. Together we can help build a world where love is love is love and everyone, regardless of gender or sexual identity, is treated with dignity and respect. Happy Pride!

While we have little say as to what will happen next, one thing we can control is our virtual meetings’ environments — more specifically our backgrounds. We might be stuck at home, we might feel like we’re surrounded by chaos, but Zoom provides us with maximum freedom to control our virtual settings. 

Our humble tribute to April Fools’ Day is this collection of our favorite backgrounds from our very own Mend crew — including us, your loyal Mend content team. In the hopes of putting a smile on your faces, here it is remote folks, our favorite Zoom backgrounds for some April 1st fun. 

A classic revisited

The GIF that keeps on giving. Who knew way back when BBC dad first went (the-other-kind-of) viral, the clip would be revisited years later. Rhys Arkins, Mend Director of Product.

Turns out that besides being the creator of Mend Renovate and this writer’s go-to for open source community, licensing, or security questions, he is also quite a wiz with remote conferencing backgrounds. This is just one example.

Live from Red Rocks

Need some space? Human connection? Crank up the volume and join Jason Hammond, our Director of Solutions Engineering — Channels, rocking out and/or telecommuting from the happiest place on earth, Red Rocks Amphitheatre in Denver, CO. 

May the Mend be with you

Tamir Verthim, our Head of Solution Engineering, doesn’t get ready, he stays ready, with a fully stocked toolbox of solutions for any issue, big or small. In this case, he came backed-up by Mend managers and founding fathers (left-to-right): Dr. Ron Rymon, Mend Co-Founder and Executive Chairman, Rami Sass, Co-Founder and CEO, and Azi Cohen, Mend Co-Founder & General Manager. 

Serving diamonds are a girl’s best friend realness

When the going gets tough, the tough perform a dance number dripping in diamonds. Sometimes, you just have to ask yourself, what would Marilyn Monroe do? Julie Peterson, wordsmith extraordinaire and our Content Marketing Manager, found the answer: do a little dance surrounded by a chorus of dapper admirers showering you with admiration and diamonds. 

Opulence is everything

Perhaps diamonds are a girl’s best friend, but sometimes we just want to kick back and relax in a European mansion. That’s why I chose this backdrop. Home office not up for a virtual conference? Rather than hurriedly sweeping the clutter outside of the frame, swap out your messy background for this gem of a property. 

The art of the subtle gag

Tom Shapira, our Director of Software Engineering and Mend OG, has weathered the most Mend offices and workspaces out of all of us. While at first it might appear like Tom is sitting in his office workspace, this gag demands a double-take. Our more observant readers probably noticed that Tom is using a photo of his on-prem office background for his remote team meetings, basking in the comfort of the office rather than the glare of the spotlight or the ghosts of aristocrats’ past. 

There you have it, our take on April 1st gags.

1. Apache Cassandra

Number of contributors: 287

• Top contributor: Jonathan Ellis, CTO & Co-Founder at DataStax | @spyced
• Primary language: Java 
• Number of stars: 5,700

Apache Cassandra is a distributed and decentralized database designed to manage massive amounts of structured and unstructured data across the world. It was developed at Facebook for inbox search and open sourced in July 2008. 

One of Cassandra’s most essential features is its elastic and linear scalability, which enables a consistently fast response time. Data is automatically replicated to multiple nodes for fault tolerance and easy distribution. 

Some of the open source project’s largest production deployments include Apple, Netflix, and Chinese search engine Easou. It’s also in use at Constant Contact, CERN, Comcast, eBay, GitHub, Instagram, and more than 1,500 more companies.

2. TensorFlow

• Number of contributors: 2,383
• Top contributor: tensorflower-gardener
• Primary languages: C++ and Python
• Number of stars: 141,000

TensorFlow is an open source library for numerical computation and machine learning that was created by the Google Brain Team in 2015. TensorFlow is designed to enable the simple creation of machine learning models for desktop, mobile, web, and cloud.

One of the project’s greatest benefits is abstraction. In other words, TensorFlow allows developers to focus on the general logic of the application while the library handles the details of implementing algorithms in the background. It also provides a direct path to production. Whether on servers, edge devices, or web, TensorFlow lets you train and deploy your model easily in any language or platform.

Some of the biggest companies using TensorFlow include airbnb, Coca-Cola, DeepMind, GE Healthcare, Google, Intel, and Twitter.

3. Renovate

• Number of contributors: 190
• Top contributor: Rhys Arkins, Director of Product Management at Mend | @rarkins
• Primary languages: JavaScript & TypeScript
• Number of stars: 2,600

Renovate is the essential “keep absolutely everything up-to-date” code maintenance tool. Acquired by Mend in November 2019, Renovate is designed to save developers time and reduce security risk by automating dependency updates in software projects. 

We obviously love Renovate a lot, mostly for its open-first approach and ability to support a highly coordinated and efficient open source security strategy. 

One of Renovate’s key benefit is its ability to support multiple languages and file types in order to detect dependencies wherever they’re in play. It runs continuously to detect the latest available versions, and provides changelogs and commit histories with every update. You can also run your existing suite of tests on every update to avoid regression errors.

4. Kubernetes

• Number of contributors: 2,441
• Top contributor: Jordan Liggitt, Staff Software Engineer at Google | @liggitt
• Primary language: Go
• Number of stars: 63,000

Over the past few years, containers have become a go-to for software development teams, helping them build, deploy, test, and deploy at scale, and keep up with the hectic speed of release cycles. Kubernetes, an OG in the container space, is an open source project that is designed to automate the deployment, scaling, and management of containerized applications. Its main objective is to simplify the work of technical teams by automating many of the processes of applications and services deployment that were formerly completed manually.

We love Kubernetes for its automation capabilities, which ultimately saves you money through more efficient use of hardware. Kubernetes allows you orchestrate containers on multiple hosts and scale resources and applications in real-time. 

Special mention goes to K9s, the Kubernetes CLI that makes it easier to navigate, observe, and manage your Kubernetes clusters. 

Some of Kubernetes’ biggest users include China Unicom, Spotify, Nav, and AppDirect

5. Ansibl

• Number of contributors: 4,884
• Top contributor: Brian Coca, Sr. Software Engineer at Ansible | @brian_coca
• Primary language: Python 
• Number of stars: 41,700

Featured in GitHub Octoverse’s list of top open source projects by contributors since 2016, 

Ansible is an IT automation tool that “loves the repetitive work your people hate.” We love this open source project because it eliminates much of the complex, redundant tasks intrinsic to application development and delivery. 

Ansible has risen in popularity because of its simple, human-readable language and ability to automate complex, multi-tier IT application environments. Organizations that are able to eliminate some of the lamented grunt-work their developers face stand to reap the benefits of improved productivity and accelerated DevOps.

6. Geany 

• Number of contributors: 149
• Top contributor: Enrico Tröger | eht16 
• Primary languages: C & C++
• Number of stars: 1,500

Geany is a small and lightweight IDE that runs on Linux, Windows, MacOS, and every platform that is supported by GTK libraries. We love it because it fulfills the need for a flexible, powerful, cross-platform IDE that provides helpful features without congesting your workflow.

For instance, Geany offers syntax highlighting, code folding, symbol name auto-completion, call tips, a build system to compile and execute your code, and project management, among others. Another unique resource is its extensive User Manual and crowd-sourced Wiki and full Plugin API Documentation.

7. Django

• Number of contributors: 1,853
• Top contributor: Tim Graham | @timograham
• Primary language: Python
• Number of stars: 47,100 

Django is a high-level Python Web framework, and it’s very loveable. For one thing, it’s designed to help developers achieve their most important objective: rapid development.

Django is beloved by Python developers because it enables programmers to push apps from concept to completion fast, without the usual hassle of web development. Of course, we also appreciate its dedication to security. It helps developers avoid many common security errors, such as SQL injection, cross-site scripting, clickjacking, and more.

Considering Python’s increasing popularity in the open source community, we expect Django to continue to grow. Versatile and scalable, many websites have already adopted Django, including Mozilla, Pinterest, Instagram, Open Stack, National Geographic, MacArthur Foundation, and more. 

Share the love: Giving back to the open source community 

We just love them all! While each project we mentioned here has a different core objective, each has the potential to improve the way you work. They enable faster, cleaner work, and place a growing emphasis on security.

As our love of open source continues to grow, along with our dependence on the open source projects that power and support the software products we create, it’s important to remember to give back to the open source community. While many of the projects that we highlighted are supported by a loving community of maintainers and supporters, not to mention some of the largest tech giants, other open source project maintainers have struggled to support get support for the components the lovingly created and maintained.