Knowing what you’re working with

Modern applications make use of thousands of third-party components, mostly but not entirely open source software (OSS), and it’s critical to keep track of them. That’s why, in theory, an SBOM is great. Requiring an SBOM seemed like such a good idea that both government agencies and customers started insisting that everyone have them. You get an SBOM, you get an SBOM, everyone gets an SBOM! 

However, once everyone started getting SBOMs, a new problem arose: what do we do with these things, anyway? While an SBOM is important, when you just get a list of all the components that are in your code, it’s incomplete information that isn’t actionable. 

In order to make SBOMs really useful, security pros needed something else—something to contextualize the mass of findings in an SBOM to help them understand what was really concerning and what was just a false alarm. As Frank Costanza once said, there has to be another way.

Streamlining risk management 

Thankfully, there is another way– VEX (Vulnerability Exploitability eXchange). VEX is a framework for communicating the exploitability of known vulnerabilities in the context of where and how they are used.

SBOMs enriched with VEX data make it easier for organizations to prioritize risk management by providing actionable insights into the exploitability of vulnerabilities. This allows your business to allocate resources effectively and focus on addressing the most critical risks.

A VEX producer can designate vulnerabilities as:

• Exploitable – This means a vulnerability can be used by attackers in the current implementation and needs to be remediated ASAP. This is what your immediate focus should be on.

• Not exploitable – While the vulnerability exists in theory, factors like how your application is configured mean malicious actors cannot access it, rendering the vulnerability harmless.

• Fixed – A vulnerability existed, but a mitigation or patch has already been applied.

• Under Investigation – This notation means further analysis is required to determine how exploitable this vulnerability is. Once you’ve dealt with the exploitable vulnerabilities, you’ll want to look into these next. 

With VEX, instead of just having the SBOM data of software dependencies, you also have information about the specific vulnerabilities within the code that you’re using and whether they actually need to be addressed. It saves you the time and dev hours tracking down false positives and prioritizing the biggest risks first, overall providing a lot more value to an SBOM.

Notes about what steps have been taken or need to be taken can also be included in the VEX. 

Additionally, documents in VEX format are machine readable (either CycloneDX or SPDX), allowing integration into asset management tools. This enables greater automation of risk management, once again saving time and ultimately, money.

VEX also includes actionable data about how severe a vulnerability is, whether mitigations exist, and if patches are necessary. The information provided by VEX allows security teams to determine how risky a vendor’s software truly is, which is impossible to know from an SBOM alone. 

Transforming SBOM with VEX

Having a method to consistently describe and share vulnerability data between organizations addresses some of the biggest headaches for security engineers. If the VEX data indicates that a vulnerability is non-exploitable because end users don’t have access to the affected function, it saves you the time of both tracking down that information and mitigating something that doesn’t need to be addressed imminently.

Say you scan your systems and discover 40 vulnerabilities within your software supply chain. Without VEX, you might spend days addressing all of them. However, with VEX data, you see that 10 of the vulnerabilities are non-exploitable, 20 of them are low severity and can be remediated later, while 10 are critical and exploitable. Now you’re able to prioritize the most severe vulnerabilities, schedule later remediations for the lower risk ones, and ignore the non-exploitable ones. Think of the time (and headaches) you’ve saved thanks to VEX.

Adopting SBOMs is an essential step toward modern software security, but without the right context, they remain incomplete. VEX is the key to transforming SBOMs into actionable, insightful tools. By providing crucial exploitability data, VEX allows organizations to allocate resources efficiently, reduce false positives, and focus on addressing real threats—saving time, money, and ensuring faster, more secure software deployments.

At Mend.io, we’re excited to offer SBOM exports enriched with VEX data, empowering our customers to turn their SBOMs into effective risk management tools. Interested in making your SBOMs more actionable? Schedule a demo today.

The increasing reliance on open-source software coupled with the accelerated pace of software development has created a growing need for support of deprecated packages. The significant majority of open-source software packages are not actively maintained, meaning vulnerabilities are not patched, thereby leaving systems open to attack. Malicious actors often target deprecated open-source packages for this very reason. 

In addition to increased vulnerability risks, deprecated packages can become incompatible with modern systems or libraries. This leads to performance issues, making it more difficult to extend your application’s life. 

Using deprecated packages also increases your technical debt. The longer you put off replacing updated code, the more complicated it becomes to resolve the issues it incurs. 

This is why we are excited to announce an exclusive partnership between Mend.io and HeroDevs. HeroDevs NES (Never-Ending Support) keeps deprecated packages maintained, saving you the cost and hassle of migration while also keeping your software versions secure and compliant. 

Value of a joint partnership between Mend.io and HeroDevs

Mend.io helps developers keep their applications secure by identifying outdated and vulnerable open-source packages and providing recommendations for updating to newer, safer versions.  However, sometimes those updates don’t exist because the package is no longer supported. 

While developers are capable of fixing issues with deprecated packages they use, it is a risky, costly, and time-consuming task. That’s where HeroDevs comes in. They provide continued support for deprecated packages, ensuring there’s always a safe, updated version available.

Benefits of HeroDevs NES

By combining the power of the Mend AppSec Platform with HeroDevs NES, our joint customers achieve:

• Reduced Risk: The use of deprecated packages leaves applications at risk. Pairing the Mend AppSec Platform with HeroDevs NES proactively addresses vulnerabilities in deprecated packages, reducing the risk of data breaches caused by unmaintained packages.
• Increased Compliance: Compliance standards like PCI DSS, HIPAA, and GDPR require companies to take measures to protect sensitive data.  HeroDevs NES adds extended support to deprecated packages that can leave applications vulnerable to attacks, putting companies out of compliance.
• Time and Money Savings: Manually patching deprecated packages can be a time-consuming and expensive process for developers. HeroDevs NES provides upgrade paths for these packages, accelerating remediation, saving costs, and freeing developers to focus on building new features and delivering value faster.

With the power of both the Mend AppSec Platform and HeroDevs NES, you can rest easy that your software supply chain will be well-protected from vulnerabilities, malicious packages, and performance issues that stem from deprecated packages.

The endless nature of updates

While keeping dependencies up to date is important, immediately moving to a new version can introduce risks, including the potential for application instability or breakage due to unforeseen regressions in dependent software. Finding a balance between quality and security can seem like a Sisyphean task, as an ever-growing number of updates are required, especially if you must spend time searching for crucial information about each dependency update.

What is package health?

Package health refers to the overall security and reliability of a particular version of a software package (or library), including:

• Whether it has any known vulnerabilities (and how severe they are)
• How old it is
• Adoption rate (how many people have adopted the particular version out of all available versions)
• Test passing rate (success of moving from your current version to the new version)
• How active the maintainer is 

Let’s break each of those down a little further.

Known vulnerabilities

Nearly all packages have some known vulnerabilities, but some are higher risk than others. If there are known exploits available, that vulnerability immediately becomes higher risk than vulnerabilities with only theoretical risks. Developers should know what new risks they’re subjecting applications to when updating dependencies.

It’s useful to know how many CVEs a particular version of a dependency has as well as how severe they are. If an update removes a few medium and low CVEs but introduces a new critical CVE, it may not be worth it.

Package age

The age of a package is critical for knowing how trustworthy it is. If a package is more than a year old, it likely contains some vulnerabilities that have been addressed in newer versions. While the newest package is not necessarily the best, if a package version is too old, it is probably riskier to use.

Adoption rate

By monitoring the number of users who are actively using a specific version of a package, developers can assess the overall popularity and reach of that version. If the latest version has a low adoption rate, it might indicate that other developers have tried it and rolled it back after it caused issues.

Version success

This might be the most critical metric related to a package’s health. Knowing the percentage of users who have successfully updated from your current version to a specific later version empowers you to make informed decisions about the ease or difficulty of updating without breaking your build. For example, if a version boasts a 90% success rate among adopters, you can be confident that your update will likely go smoothly as well.

Package maintenance

Developers rely on the responsiveness of library maintainers to address vulnerabilities and ensure the ongoing security of their projects. An active, well-maintained package provides peace of mind, while an abandoned or deprecated one raises a red flag, signaling potential risks and the need for alternative solutions.

More information means better decision-making

Comprehensive package health information allows you to make informed decisions, reducing the risk for negative side effects in your applications—namely, creating new vulnerability risks or breaking an application’s usability. The more you know about a package, the better decisions you can make about it.

Just like a doctor needs a complete patient history to prescribe the right medication, developers need comprehensive information about a software package before updating it. Think of it this way: a new drug might promise to cure a disease, but what about the side effects? If a patient is already vulnerable, is it worth the risk when older, proven medications exist?

The same applies to software. While a later version might seem best, it could introduce bugs or break compatibility with existing code, disrupting users. It’s a delicate balance between innovation and stability—just like a doctor weighing the best treatment options for their patient.

Comprehensive package health information helps you make informed decisions, minimizing the risk of unintended consequences. Ultimately, the more you know about a package, the better equipped you are to make the right call.

Mend.io makes updates easier

Balancing security with application stability is crucial. Mend.io offers valuable package health data, sourced from its widely-used dependency update tool Mend Renovate. This data helps developers make informed decisions about updating packages and mitigating vulnerabilities, enabling them to strike the balance between security and stability.  

To update or not to update? That is the question—and one we can help you answer.

Fear of AI: A missed opportunity?

A long cultural history of sci-fi movies and books featuring all-powerful artificial intelligences that do not always have the best interests of humans at heart has scared many people away from using real-life AI technology in any form. Many at Mend.io believe this is a bad idea; workers and companies that shy away from utilizing AI miss out on the impressive capabilities AI tools provide and may be left behind. You may have already heard of large language models like ChatGPT, Claude, and Microsoft Copilot, as well as AI text-to-image programs like DALL-E and Stable Diffusion, and we think you should use them, but with a few security points in mind.

Just another tool (but a powerful one)

While AI might be more difficult to understand than other, traditional technologies, Maria Korlotian, Director of Development, points out that AI is merely a new tool and “not some mystical force beyond our control.” 

According to Maria, “Using AI isn’t fundamentally different from using any other everyday technology – it’s just more advanced. Think of it like a supercharged calculator. We don’t fear calculators because we understand their purpose and limitations. AI is similar, just with a broader scope of applications.”

“Right now, we’re in the early stages of widespread AI adoption, and that naturally causes fear and misunderstanding. But this is normal for any revolutionary technology. The key is to approach AI with curiosity, not fear. It’s hard to use a tool efficiently if you don’t know what to expect from it. We need to understand AI’s capabilities and limitations. As we become more familiar with AI, much of the current uncertainty will fade. It’s just another tool in our technological toolkit – incredibly powerful, yes, but still a tool designed to augment human capabilities, not replace them.”

Unpredictable (but worth the effort)

Others at Mend.io backed Maria on the values of AI. Bar-El Tayouri, Head of Mend AI, described AI as “much less predictable than traditional technology. Unlike regular code, which can be read and understood, an AI model consists of complex weights that make it difficult to predict its reactions and behavior. As a result, AI has much greater power and flexibility but requires careful regulation and guardrails to control its outputs.” Again, while AI might seem frightening to new users, the power and capabilities it brings to the table make it worth learning how to use.

Your brilliant (and potentially misunderstood) colleague

Rhys Arkins, VP Product Management, described AI as being similar to “a new, brilliant colleague with unlimited time to help you be successful, while at other times being the colleague most at risk of completely misunderstanding you.”

Yael Barnoy, General Counsel at Mend.io, agreed and called AI “revolutionary” because the uses for it “are unlimited and no prior knowledge is required to produce excellent content. Even children can speak to an AI model and write their own books complete with pictures by using currently available AI programs. Also, many AI programs are free and available to the general public.”

Tips for using AI safely

We asked our expert teammates what advice they would give to friends and family about using AI safely and compiled this list.

1. Don’t overly rely on AI without understanding its outputs. While AI can provide impressive results, trusting its suggestions without comprehension can lead to errors or misuse. Always strive to understand the reasoning behind AI-generated content or recommendations.
2. Check, double check, and triple check your results. When you use AI in your areas of expertise you see that the output isn’t always accurate. When you use AI for cases where you don’t have as much prior knowledge, it requires checking the facts with a reliable source. This is just like using a regular search engine – you will find some more reliable sources and less reliable sources. In addition, there are still some areas where many AI tools do not provide the required result but make up (“hallucinate”) results instead. Verify information before using it.
3. Avoid using AI for critical decisions without human oversight. AI should complement human intelligence, not replace it entirely, especially in high-stakes situations.
4. If you use AI to look clever internally, don’t hide it from others. You’ll still look clever for knowing how to use this tool effectively.
5. Don’t assume AI is objective or infallible. AI systems can inherit biases from their training data or design. Be aware of potential biases and critically evaluate AI outputs.
6. If you use it with any type of work material, use it only with an account your employer set up for you, unless you have explicit permission otherwise.
7. Never input private customer information into AI unless you have explicit permission internally.
   

AI is an exciting new tool that will help us all reach new heights. As long as you keep these basic cybersecurity principles in mind, you will be able to achieve great things and maintain your safety while using AI. 

Share this blog with friends and family who you think could use some tips on using AI safely.