Lacework unifies code and cloud security

Lacework announced its release of code security, which provides Lacework customers full visibility throughout the complete application development lifecycle.

Lacework code security helps prevent security issues from getting into the wild by identifying them before code is deployed, and helps prioritize and fix issues faster, wherever they are found in the application lifecycle.

Lacework has always believed that achieving the best security outcomes, with speed, requires continuous visibility and context, including knowing where every software package is running, and the ability to capture and correlate data across the application lifecycle. This approach empowers security teams to be more efficient, eliminates the toil of stitching together data and findings from different sources, and it helps to consolidate onto fewer tools that deliver higher value.

“This is a milestone moment as we unveil our data-driven approach to code security, purpose-built to complement the greater Lacework platform” said Jay Parikh, CEO, Lacework. “Our deep investment into the technology that powers the Lacework platform allows us to provide customers with much more than code security insights. Lacework is able to combine various sources of data to help provide deep security insights that span from code to cloud.”

Lacework Software Composition Analysis and Static Application Security Testing

Lacework is introducing two forms of static program analysis – one (SCA) targeted at third-party code in customers’ repositories, and the other (SAST) targeted at first-party code.

The SCA capabilities developed by Lacework give customers continuous visibility into third-party software libraries and associated vulnerabilities, including direct and indirect dependencies. The unique approach taken by Lacework goes beyond basic SCA functionality and gives teams continuous visibility into exactly where vulnerable functions are used in the code, how often each is referenced, who was responsible for bringing it in, and who owns fixing the code.

Customers gain an always-up-to date SBOMs for every application and continual visibility into their software supply chain, as well as an understanding of open-source license risk.

For the first time, with SCA as part of the Lacework platform, customers have visibility of a vulnerable package’s full lifecycle, tracking its usage in the source code to its activity within any cloud-native workload. The active vulnerability detection is accomplished using an extension of the Lacework runtime agent known as Code Aware Agent (CAA).

Previously, Lacework announced Active Vulnerability Detection (AVD) for host packages, and today the company has added AVD support for containers, meaning customers can now identify runtime package activity across broad surfaces of cloud workloads.

“When we developed CAA we did so with the aim of connecting to static analysis,” said Peter O’Hearn, Director of Engineering, Lacework. “There is a huge unexplored potential in combining static and runtime analysis, with previously-unrealized value that we are now beginning to tap into.”

The combination of AVD and SCA illustrates the benefit of a platform approach to cloud security. If a package is known to be active, then updating it might be prioritized over packages that have not been found to be active and perhaps never will be. Conversely, if a package is inactive it might be considered a candidate for removal, thus reducing the attack surface. AVD furnishes the runtime insight, and SCA the source code information that can lead to faster resolution.

“With Lacework code security, we will achieve a new level of maturity and empower our teams to innovate faster,” said John Sinteur, Security Architect at Mendix. “This comprehensive visibility into third party code will help us to demonstrate to our customers that their low code apps and our platform are free from third party vulnerabilities. Along with these capabilities, the Lacework agent helps us prioritize vulnerabilities in terms of risk by tracking package activity.”

Lacework SAST complements SCA to provide comprehensive code security capabilities to help organizations understand how first-party code could be exploited. Lacework SAST takes in-house code and identifies source-code weaknesses that an attacker could exploit to bypass security controls, run malicious commands, or exfiltrate sensitive data. From that analysis, the tool provides customers with an automated and intuitive secure code review that’s easily actionable by both entry-level and senior security analysts.

Lacework SAST gives application security engineers visibility into complex vulnerabilities within their most exposed internet-facing applications. Lacework provides an in-depth model of each application and tracks the path of untrusted data to weed out zero-days that could result in dangerous exploits like SQL injection. Application security teams can scale to meet the demands of much larger development teams with a fast analyzer that can assess millions of lines of code in minutes.

Traditional SAST tools are notorious for noisy results with a large number of false positives. What is less often emphasized, but even more crucial to security posture, are false negatives (missed bugs). Lacework SAST uses a sophisticated set of techniques to analyze call chains and control paths of an application.

This analysis learns when a developer has added compensating controls to mitigate risk, and Lacework’s highly-configurable engine allows security engineers to easily customize and add rules to meet the specific needs of their unique codebase. Lacework SAST analysis is both precise and fast: it has low false positives and negatives.

The code security capabilities Lacework announced today build on its previous investment in infrastructure as code (IaC) security and further deliver on the company’s vision for a data-driven platform that covers the entire application lifecycle. A single platform spanning from code all the way to production gives security teams unmatched visibility, paves the way for further tool consolidation, all while enabling faster innovation and better security outcomes.