Cookies Notice

This site uses cookies to deliver services and to analyze traffic.

Ok, Got it

Go back

Apiiro Unveils Open Source Software Toolkit to Combat Dependency Confusion Attacks

TEL AVIV and NEW YORKNov. 9, 2021 — Apiiro, the leader in Application Risk Management, today announced the release of the Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks. The Dependency Combobulator allows organizations to safeguard against this newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages. This new solution is a critical element in Apiiro’s multidimensional approach to securing the Software Development Lifecycle to prevent both direct and supply chain attacks.

Dependency confusion compromises the open source software (OSS) ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Apiiro’s Dependency Combobulator enables a flexible approach to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, aimed to be used by the AppSec practitioner, is a python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling easy extension into other package management systems. It provides improved extensibility that enables organizations to quickly adapt to new types of dependency attacks.

The toolkit uses a heuristic engine that works on an abstract package model, providing easy extensibility that enables additional insights on individual packages. This depth and flexibility leads to improved decision-making by Application Security practitioners and penetration testers.

The Dependency Combobulator is pluggable and can be baked into an enterprise’s application security program and release cycle in an automated way. It can be plugged into several interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use-cases, and expandable to support additional ones as dependency attacks evolve.

“In the wake of security researcher Alex Birsan’s move to compromise ecosystems maintained by Apple, Microsoft and PayPal earlier this year, the industry experienced an outbreak of similar supply chain attacks,” said Moshe Zioni, VP of Security Research at Apiiro. “We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is essential for organizations to successfully secure their software supply chains.”

To learn more, join Moshe Zioni, virtually or in-person at Black Hat Europe 2021, where he will discuss and demo the Dependency Combobulator during several speaking sessions, taking place throughout November 10th and 11th.

About Apiiro
Apiiro is the industry’s first Code Risk Platform™ to provide Application Risk Management with every change, from design to code to cloud. Apiiro is re-inventing the secure development lifecycle for Agile and cloud-native development and gives organizations a 360° view of security and compliance risks across applications, infrastructure, developers’ knowledge, and business impact. Apiiro is backed by Greylock and Kleiner

Kelly Hall
Offleash PR for Apiiro