Cycode has launched its software composition analysis (SCA) solution and the expansion of its platform to add static application security testing (SAST) and container scanning.
Cycode’s platform makes AppSec tools better through its Knowledge Graph, which provides context of the software development lifecycle (SDLC) to improve accuracy and reduce mean-time-to-remediation (MTTR).
Cycode’s capabilities have moved beyond existing solutions in terms of breadth and depth, while also providing net new capabilities, like Pipeline Composition Analysis to identify many different types of vulnerable dependencies across the entire SDLC (not just in source code), where vulnerable dependencies are deployed and whether or not they are exploitable.
Cycode’s core technology is a graph database called the Knowledge Graph. The Knowledge Graph structures and correlates data from the tools and phases of the SDLC. By first seeking to understand customers’ SDLCs, the Knowledge Graph delivers the context security tools need.
Furthermore, the Knowledge Graph also ingests data from every AppSec tool built into the platform to better understand risk and coordinate responses to threats. Not only do SCA, SAST and container scanning benefit from the Knowledge Graph, but their additions also improve Cycode’s platform because they contribute new data into the Knowledge Graph, which increases the effectiveness of every other tool in the platform.
“At its core, the software supply chain security problem is a result of the deficiencies in traditional AppSec tools,” remarked Lior Levy, CEO of Cycode. “There are many ways to attack software supply chains because the attack surface is varied and vulnerable to so many different types of threats. Traditional AppSec tooling only looks at narrow segments of an SDLC individually. AppSec lacks the equivalent of a central nervous system– something to collect, interpret and respond to the security information across the entire SDLC.”
Securing all the ways software supply chains can be breached requires coordination across a broad set of AppSec tools. Cycode’s eight AppSec tools identify vulnerabilities and harden software delivery pipelines.
Cycode’s SCA, SAST, Infrastructure as Code scanning and container scanning identify vulnerabilities in custom code, open source components, containers, Infrastructure as Code and other pipeline components. At the same time, Cycode hardens software delivery pipelines with tools to centrally manage governance and security policy across development tools, identify code leaks, hardcoded secrets, misconfigurations and code tampering.
“The value of Cycode’s Knowledge Graph really shines in the current macroeconomic environment when many CISOs are being asked to do more with less,” commented Justinian Fortenberry, CISO of Zip Co Limited. “Not only does Cycode significantly reduce AppSec tool costs through consolidation, but Cycode’s Knowledge Graph helps coordinate each tool on the platform to reduce risk in unique ways such as identifying when leaked code contains secrets like API keys or passwords.”
As software supply chain attacks have increased in frequency, SCA has been a focal point of many organizations’ AppSec responses. Yet, SCA is too narrow in scope to solve software supply chain attacks, as evidenced by the continued frequency of software supply chain breaches. Legacy SCA only looks for vulnerabilities in source code dependencies, an attack vector that makes up less than 10% of the total software supply chain attack surface.
In contrast, Cycode’s next-gen SCA identifies vulnerabilities in dependencies and other security issues across the entire software delivery pipeline, not just source code. Cycode calls this Pipeline Composition Analysis. In addition to identifying which dependencies are vulnerable, Pipeline Composition Analysis also understands where dependencies are deployed and whether or not they are exploitable.
In addition to source code dependencies, Cycode’s Pipeline Composition Analysis also secures:
- Build modules such as GitHub Actions or GitLab Runners
- Build modules’ dependencies (e.g., open source libraries introduced by GitHub Actions)
- SDLC tools (e.g., GitHub, Jenkins, CircleCI, JFrog, etc.) as well as their versions, configurations, and security controls
- Plugins and extensions to SDLC tools (e.g., vulnerable Jenkins plug-ins or CircleCI orbs)
- Infrastructure as Code (IaC) template configurations and dependencies introduced by IaC files
Cycode’s Pipeline Composition Analysis surpasses SCA capabilities in a number of other ways including prioritization and remediation. For example, legacy SCA solutions can only identify the lines of code where vulnerabilities exist in source code, while Cycode can also pinpoint where vulnerable dependencies are deployed in test and production environments. Without Pipeline Composition Analysis, definitively removing all instances of vulnerable libraries like Log4J from production is an error prone and time-consuming manual process that hinders rapid remediation efforts.
“Cycode’s deep understanding of our entire deployment pipeline, combined with their integrated SCA capabilities, means Cycode alerts on both vulnerable dependencies and where they are deployed,” said Zack Padilla, Lead Cybersecurity Engineer of Kyriba.
Cycode’s Pipeline Composition Analysis also yields insights on what components facilitate a vulnerability or security issue, how pipeline components relate to each other and if they are present in runtime environments. This capability makes it possible for Cycode to prioritize remediation efforts based on which issues are exploitable in production.
“The value of Cycode is in our platform,” said Dor Atias, VP of Engineering and co-founder of Cycode. “The platform is designed to make AppSec tools better, but also to make developing new tools easier and faster. This gives Cycode customers the best of both worlds: a portfolio of best-in-class point solutions that is always expanding and the operational efficiency of consolidating tools on the same Knowledge Graph-powered platform.”
Cycode is showcasing these new software supply chain capabilities at this year’s Black Hat USA 2022.