Mend SAST: The Next Generation of Application Security
Table of Contents
Today, we announced our entrance into the Static Application Security Testing (SAST) market. It’s a significant development for Mend, which has until now been solely focused on open source software security. In this post, I explain why we decided to make this move beyond open source into proprietary code security, and the value it will bring to developers, security teams, and their organizations.
Escalating risks demand a new approach to application security
Cybercriminals are always seeking new ways to attack and infiltrate organizations’ systems. In the last few years, attackers have turned their attention to the application layer, which has experienced an escalation in attacks, as Threatpost reported in June 2021. Such attacks are having a far larger and more serious impact than previously.
This is partly due to the success of existing cybersecurity and network security solutions that have forced attackers to seek new and different vulnerabilities. It has become increasingly difficult for them to attack the network layer, so naturally, they search elsewhere in the chain, at the application layer. Correspondingly, there has been a huge rise in application-based attacks versus network-based attacks, which for the last 20 years or so was the primary target.
As attackers shift to different targets, the security community must consistently rise to this challenge with innovations to thwart them.
Why SAST?
It’s common for large enterprises to own and operate multiple security products. In some cases, the number is more than 50. Sometimes a separate security tool may be justified, for example, when the functionality is highly specialized. But in the case of application security, neither security managers nor application developers should have to use different security products from different vendors, as is presently common practice.
Sometimes the fragmentation is downright silly. Take the example of an SQL injection vulnerability. This could be caused by a vulnerability in an open-source library or by a weakness in custom source code. Or both. Until recently, to discover these different root causes required the use of different tools that don’t communicate with each other. If vulnerabilities were caused by both custom source code and open-source code, there has been no sensible and straightforward way to know which poses the greater risk and therefore which remediation should be prioritized over the other. That’s frustrating when the resources needed to fix them are the same set of resources.
Our vision is to take what we’ve done successfully with software composition analysis (SCA) and apply our expertise to SAST so that users can discover and address all their risks in one solution, with no need for additional tools. It’s a new, more integrated approach to solving the application security problem, and it provides an easier, more efficient, and more effective user experience.
Mend unique value: Auto-remediation
For these reasons, enlarging the scope of our product to include custom code vulnerability detection and remediation made sense to us, as well as to the customers on our advisory panel. Our next question was: What other value can we bring?
Traditionally, SAST products have been designed for compliance purposes: running a static analysis test to find vulnerabilities allowed an organization to tick a box. But the market has evolved. Enterprises today are much more interested in reducing their software risk than they were in the past. This new requirement demands a fresh approach — one that includes taking corrective action, rather than just reporting on vulnerabilities.
At Mend, we believe that vulnerability detection by itself creates little value. It’s really just half the job. That is why over the past five years we have worked to build the best auto-remediation in the world for open source software. And it is why we now intend to build the best auto-remediation in the world for custom source code security weaknesses.
I believe our market opportunity is huge. Automated remediation is what Mend is best known for. This capability allows developers to save huge amounts of time, and therefore allows organizations to develop applications faster and more securely. Our intention now is to be the first security vendor to develop a next-generation application security platform that doesn’t just find custom code vulnerabilities but remediates them.
Mend value: shift-left
Another long-standing philosophy at Mend has been to shift security testing “left” in the software development lifecycle (SDLC). Many studies have shown the advantages of early testing and early remediation, and so this is how we have designed our software composition analysis product. Going forward, we intend to implement this philosophy with our new SAST product. Currently, Mend SAST shifts left by integrating with build systems, repositories, and CI/CD pipelines. Automated triggers are fast and easy to setup. And since our scan engine is so fast (10 times faster than traditional SAST products), your engineers will get results in minutes or less.
Building the next generation of SAST
At Mend, the development of our SAST platform has been a journey to build a complete solution that includes everything you need to secure your application. This involved a “buy and build” approach.
While Mend has some of the best application security engineers in the world, we recognized the value of also looking outside the company for exceptional technologies. As mentioned in our press release today, we have acquired two companies’ technologies for inclusion in Mend SAST. Xanitizer provides our customers with an amazingly accurate scanning engine for Java and JavaScript, and DefenseCode provides our customers with an extremely fast scanning engine along with wide-ranging support for multiple development languages. Together with our proprietary technology, our customers will have an application security solution that combines fast scanning with extreme accuracy, all in one platform that offers the full “detect, prioritize and fix” value chain.
The future of SAST and its impact on the security ecosystem
Our new SAST technology is a big step forward for the industry and for users alike. It signifies an important change in the way application security is implemented and the value it delivers.
We’re leading the development of the next generation of application security. I anticipate that, three or four years from now, your application security system will run automatically and completely unobtrusively. You’ll know it’s there, but you won’t be bothered by it. You won’t really care what it’s doing. It will catch and fix the vulnerabilities on its own, making sure that your software is safe and secure. And that’s our aspiration: to provide automated remediation so effective that we’ll make your application security invisible.