Apiiro, the application risk management provider announced the release of the Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks.
The Dependency Combobulator allows organisations to safeguard against this newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages. The company said this new solution is a critical element in approach to securing the Software Development Lifecycle to prevent both direct and supply chain attacks.
Dependency confusion compromises the open source software (OSS) ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.
Apiiro’s Dependency Combobulator enables a flexible approach to analyse and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, aimed to be used by the AppSec practitioner, is a python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling easy extension into other package management systems. It provides improved extensibility that enables organizations to quickly adapt to new types of dependency attacks.
The toolkit uses a heuristic engine that works on an abstract package model, providing easy extensibility that enables additional insights on individual packages. This depth and flexibility leads to improved decision-making by Application Security practitioners and penetration testers.
The Dependency Combobulator is pluggable and can be baked into an enterprise’s application security program and release cycle in an automated way. It can be plugged into several interaction junctions within an enterprise software development lifecycle, providing actionable insights to fit multiple use-cases, and expandable to support additional ones as dependency attacks evolve.