Introducing Mend Supply Chain Defender Integration with JFrog Artifactory

When it comes to understanding the difference between open source software vulnerabilities and malicious threats, it’s helpful to think in terms of passive vs. active threats. 

Vulnerabilities can be attacked and exploited, but in a vacuum don’t pose a threat.  Malicious threats are different —– they involve a threat actor actively planning to attack you. This means that security teams not only must worry about vulnerable open source packages, they also need to worry about malicious open source packages, which are increasing faster than the rate of vulnerable packages. 

Malicious open source packages are a growing threat, especially in JavaScript, the most commonly used programming language worldwide. In fact, Mend Supply Chain Defender has discovered and blocked more than 4,000 malicious JavaScript packages on npm in the last six months. 

That’s why we’ve made it easier for large enterprises to centralize deployment of Mend Supply Chain Defender via integration with the JFrog Artifactory. This allows enterprise customers using JFrog Artifactory as a private repository manager to prevent malicious open source software from entering their code base. 

The value of integration

There are a few reasons why this will not only improve application security, it will also  make developers’ lives easier. 

1. One deployment for all.  Instead of individual developers installing Mend Supply Chain Defender as a plug-in to their package manager, our new integration with JFrog Artifactory only be installed once to ensure all projects that involve JavaScript or Ruby are protected from malicious code. 
2. Automated protection. If any developer tries to download a malicious package, Mend Supply Chain Defender blocks the download before it has a chance to enter the code base and do damage.
3. Centralized policy enforcement and auditing. Using a single installation of Mend’s Application Security Platform, enterprises can protect all projects involving JavaScript or Ruby with a centralized policy enforcement and auditing point. All results are displayed for open source and custom code in a custom or third-party code repository for a single view inside the developers’ native environment. 
4. A popular integration point. JFrog Artifactory is used by more than 50 percent of large enterprises, making it one of the most popular private repository managers in the world. That makes it easy to integrate Mend Supply Chain Defender into a lot of development environments. 

Learn more about how Mend Supply Chain Defender blocks software supply chain attacks.