Who should use it?

The toolkit can be used by security auditors, pentesters, and can even be baked into an enterprise's application security program and release cycle in an automated fashion.

​

What is a dependency confusion attack?

Dependency confusion compromises the open source software (OSS) ecosystem by tricking end users, developers, and automation systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

 

Main Benefits

• Pluggable - interject on commit, build, or release steps in the SDLC

• Expandable - easily add your own package management scheme or code source of choice

• General-Purpose Heuristic Engine - an abstract package data model provides an agnostic heuristic approach

• Supports a wide range of technologies

• Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

​

How does it work?

Apiiro’s Dependency Combobulator enables a holistic approach to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, aimed to be used by the AppSec practitioner, is a python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling easy extension into other package management systems. It provides improved extensibility that enables organizations to quickly adapt to new types of dependency attacks.