Security News > 2021 > November > Dependency Combobulator: Open source toolkit to combat dependency confusion attacks

Apiiro released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks.

Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Dependency Combobulator enables you to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory.

Dependency Combobulator is pluggable and can be baked into an enterprise's application security program and release cycle in an automated way.

It can be plugged into several interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use-cases, and expandable to support additional ones as dependency attacks evolve.

"We were eager to respond by creating a toolkit that can mitigate similar threats and be flexible and extensible enough to combat future waves of dependency confusion attacks. Addressing this attack vector is essential for organizations to successfully secure their software supply chains."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/_Nlke2pTFog/