Apiiro Unveils Open Source Software Toolkit to Combat Dependency Confusion Attacks
Moshe Zioni, VP of Security Research, to Demo Apiiro’s Dependency Combobulator at Black Hat Europe 2021
Apiiro, the leader in Application Risk Management, announced the release of the Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks. The Dependency Combobulator allows organizations to safeguard against this newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages. This new solution is a critical element in Apiiro’s multidimensional approach to securing the Software Development Lifecycle to prevent both direct and supply chain attacks.
Dependency confusion compromises the open source software (OSS) ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.
Recommended AI News: Seoul-based Edtech Startup Mathpresso Secures Strategic Investment from Google
Apiiro’s Dependency Combobulator enables a flexible approach to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, aimed to be used by the AppSec practitioner, is a python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling easy extension into other package management systems. It provides improved extensibility that enables organizations to quickly adapt to new types of dependency attacks.
The toolkit uses a heuristic engine that works on an abstract package model, providing easy extensibility that enables additional insights on individual packages. This depth and flexibility leads to improved decision-making by Application Security practitioners and penetration testers.
The Dependency Combobulator is pluggable and can be baked into an enterprise’s application security program and release cycle in an automated way. It can be plugged into several interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use-cases, and expandable to support additional ones as dependency attacks evolve.
“In the wake of security researcher Alex Birsan’s move to compromise ecosystems maintained by Apple, Microsoft and PayPal earlier this year, the industry experienced an outbreak of similar supply chain attacks,” said Moshe Zioni, VP of Security Research at Apiiro. “We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is essential for organizations to successfully secure their software supply chains.”
[To share your insights with us, please write to firstname.lastname@example.org]