Software supply chain attacks have an enormous blast radius and affect multiple targets by compromising a single, shared resource. And these types of attacks are on the rise: Aqua research showed an increase of 300% year-over-year.
In the United States, the issue is of such great importance that the Biden Administration issued Executive Order 14028, which focuses on the security and integrity of the software supply chain and emphasizes the importance of secure software-development environments. The issue is a global concern, however, and protecting your organization from software supply chain attacks requires a dynamic, scalable, and ever-updating solution that acts holistically across the entire software development life cycle.
To that end, today marks a major milestone in the evolution of cloud native security. We’re announcing Aqua Software Supply Chain Security, the first and only full life cycle software supply chain security solution. Through every phase of the software development life cycle—from code, to build and test, to deploy, to runtime—developers, DevOps engineers, and security teams can now gain complete visibility into every artifact that’s used in their cloud native applications and can integrate security into the earliest phases of their development.
They can assess and monitor for risks stemming from open source code that’s introduced into their codebase. They can automatically verify the integrity of their build artifacts as they move through the CI/CD pipeline to ensure that only code that was intended makes it into production. They can monitor the security posture of the CI/CD tools themselves to ensure that security controls haven’t been circumvented. And for new vulnerabilities discovered once an application is in production, they can speed remediation by tracing from runtime all the way back to the line of code where an issue exists.
It’s a level of visibility and control across the entire software supply chain that, before now, simply didn’t exist.
This achievement realizes a vision that was set in motion last year with our acquisition of Argon Security. Argon’s laser focus on securing the software supply chain was a critical capability for Aqua to add to our Cloud Native Application Protection Platform (CNAPP), allowing customers to stop the most prolific attacks on cloud native applications in the software supply chain. Now that the two solutions are fully integrated, we’re unlocking the joint value of holistic protection for anyone who focuses on the security of cloud native applications. This one solution covers all critical software supply chain attack vectors: the introduction of malicious or vulnerable code, the manipulation of build pipelines to inject vulnerable dependencies or artifacts, and the compromise of tools used to build and deploy your application.
To make all of this possible, there are several innovative capabilities of Aqua Software Supply Chain Security to highlight.
Universal code scanning, powered by Aqua Trivy Premium
Your source code is your application's largest attack surface. It can be composed of millions of lines of code and a complex web of external dependencies, all of which must be vetted, on every change, for you to trust your code.
Enter Trivy, the most capable and most popular cloud native security scanner in use today—and an integral part of Aqua Software Supply Chain Security. In addition to scanning for vulnerabilities, Trivy scans for misconfigurations in infrastructure as code, open source licenses, secrets, and more. And Trivy Premium, the default scan engine for the Aqua Platform, extends Trivy Open Source with features that include malware detection and premium threat intelligence for more accurate scan results.
By using Trivy across the platform, you get consistent scan results from code, container images, and other build artifacts when scanned anywhere in the software development life cycle. The benefit of scanning for issues during the coding phase is that you can shift security even further left to identify vulnerabilities and other risks as code is introduced. That improves application security and lowers overall software-development cost significantly.
In-workflow alerts
To maintain developer productivity and increase the odds of an issue being resolved efficiently, Aqua maintains a tight feedback loop to alert developers and DevOps of issues in their existing workflows. For example, Aqua can write comments on pull requests in the SCM (Source Code Management) tool and enforce security gates in the CI tool when issues are discovered.
Open source health
Virtually all codebases contain at least one open source component, and open source comprises 70% of codebases overall. These open source packages are someone else's code and represent an unknown level of risk to your organization. Outdated open source, unfortunately, is common. One study indicated that 85% of codebases reviewed contained open source code that was more than four years out of date. Making matters worse, most of the time open source is blindly trusted, with little to no security review.
Aqua helps your developers take advantage of open source while protecting your organization from risky projects. It allows you to assess the potential risk of an open source project, as well as define and enforce your policy on what type and quality of open source projects can be introduced to your codebase.
Preventing risky open source code from making its way into your codebase is a great way to catch known and unknown vulnerabilities before they reach production and reduce your risk exposure to a software supply chain attack.
Next-gen software bills of materials
The process of creating software is complex and full of automation and dependencies. It has become extremely hard to understand what exactly has happened for a given release. But without knowing the full story of its creation, it’s nearly impossible to determine the software’s level of quality and security.
With Aqua, you can establish and maintain trust throughout the software development life cycle by generating software bills of materials and an entire security manifest for every artifact built.
The manifest details all packages and licenses used by the artifact, as well as the risk level for each one. It also maps the artifact’s trajectory from the source, through all the commits, build details, and final artifact properties. You can even view the security checks that the artifact went through, along with which ones passed and which ones failed.
Finally, the manifest can be used to validate the security posture of the development infrastructure and the configuration of tools used to create the artifact. You can then implement and maintain integrity gates using this information to ensure that code hasn’t been tampered with or modified as it moves through build pipelines.
Automated pipeline security
The build process is probably the most sensitive part of your software development life cycle. The steps for compiling a new version of your service are the last point in time to introduce new changes to your code. And they take place using a set of automation technologies that require little, if any, manual interaction. This makes it the hardest part of your supply chain to see clearly and to secure.
You can implement assurance policies with Aqua to automatically control what makes it through your pipelines. Ensure that each new artifact is scanned for issues and require signatures before it’s marked as compliant and allowed to proceed through to your next pipeline operation.
CI/CD posture management
When most people think of a software supply chain, they think about just the code. The reality is that bad actors will use any open door in your software supply chain, including the build tools themselves.
With Aqua Software Supply Chain Security, you can easily spot and fix dangerous misconfigurations of your DevOps tools. By using the configuration recommendations from Aqua with your SCM and CI/CD tools, you can establish a zero-trust DevOps environment to ensure that the development and delivery infrastructure isn’t the weakest link in your software supply chain.
Aqua enforces least-privilege access, so you can easily audit privileges across your software development life cycle and detect which users have access to code repositories, CI pipelines, or artifact registries. It also enables you implement separation of duties, along with other best practices and compliance frameworks to reduce security risks and meet your requirements.
Summary
Many organizations have no solution at all in place today to deal with software supply chain attacks. Others have stitched together multiple tools to meet their immediate needs. The software supply chain security field is relatively young and rapidly evolving. That’s why adopting a holistic solution like the Aqua Platform ensures that you’re protected today while remaining flexible as compliance requirements and attack techniques evolve.
Next steps
Get started reducing top risks today with a free limited assessment of your software supply chain security posture. Or get started with a free trial of the software-as-a-service (SaaS) based offering that integrates with your cloud-based DevOps tools with just a few clicks and includes an option for integrating with self-managed tools as well.
Together, we can help you secure your software supply chain and stop cloud native attacks from affecting your organization.
