Data Theorem launched
Supply Chain Secure,
the industry's first attack surface management (ASM) product to address
software supply chain security threats across the application
full-stack of APIs, cloud services, SDKs, and open source software. Data
Theorem uniquely identifies third-party vulnerabilities across the
application software stack with continuous runtime analysis and dynamic
inventory discovery that goes beyond traditional source code static
analysis approaches and processing of software bill of materials
(SBOMs).
High-profile
security breaches such as SolarWinds, Kaseya, and Apache Log4j
demonstrated the widespread damage that can occur for enterprise supply
chains if third-party APIs, cloud services, SDKs, and open-source
software have security flaws, which allow hackers to infiltrate systems,
initiate malicious attacks, and extract sensitive data. These
headlining hacks expose coverage gaps found in traditional static code
analysis tools and the lack of security insights in most vendor
management programs.
According
to Gartner, "Seventy-two percent of business professionals expect
their third-party networks to expand moderately or significantly in the
next three years." Gartner
in another report stated that, "By 2025, 45 percent of organizations
worldwide will have experienced attacks on their software supply chain, a
three-fold increase from 2021."
Current
software supply chain security approaches have focused on either vendor
management or software composition analysis (SCA). However, these
approaches often lack source code access for mobile, web, cloud, and
commercial-off-the-shelf (COTS) software, as well as third-party API
services. While neither approach can perform continuous runtime security
monitoring, now with Data Theorem's Supply Chain Secure product
organizations can benefit from a full-stack attack surface management
(ASM) solution that delivers continuous third-party application asset
discovery and dynamic tracking of third-party vendors. Data Theorem's
new supply chain product can automatically categorize assets under known
vendors, allow customers to add additional new vendors, curate
individual assets under any vendor, and alert on increases in policy
violations and high embed rates of third-party vendors within key
applications. These automated capabilities allow vendor management teams
to remedy supply chain security problems faster and easier.
The
Apache Log4j vulnerability highlighted how difficult the current state
of dynamic asset discovery between first-party and third-party software
can be for every organization building and deploying software. Log4shell
hacking that impacted over 3 billion devices globally illustrated the
widespread risk that can occur with only a single exploitation in the
software supply chain. The flaw showed how important generating an
accurate software bill of materials (SBOM) can be to improving the
security of third-party supply chain risk. Data Theorem's Supply Chain
Secure product ingests SBOM files from vendors and its Analyzer Engine
can dynamically generate SBOM inventories based on the applications
themselves. Comparing the delta between what has been documented as
third-party software versus what the runtime application actually
contains is an important aspect of any attack surface management effort
to understand the real-world exposure of third-party software
vulnerabilities.
According
to a Gartner report, "Software bills of materials (SBOMs) improve the
visibility, transparency, security and integrity of proprietary and
open-source code in software supply chains. To realize these benefits,
software engineering leaders should integrate SBOMs throughout the
software delivery life cycle." The report further states, "By 2025, 60
percent of organizations building or procuring critical infrastructure
software will mandate and standardize SBOMs in their software
engineering practice, up from less than 20 percent in 2022." Gartner
also mentions that, "SBOMs are an essential tool in your security and
compliance toolbox. They help continuously verify software integrity and
alert stakeholders to security vulnerabilities and policy violations."
"While
other software supply chain security approaches have emerged, no
solution uses full-stack application runtime analysis and dynamic
inventory discovery to support the challenges around vendor management,"
said Doug Dooley, Chief Operations Officer at Data Theorem. "Data
Theorem's Analyzer Engine with attack surface management (ASM) enables
organizations to conduct continuous, automated security inspection with
application telemetry collection. This allows customers to have a better
handle on the third-party software supply chain assets and exposures
within their vendors, suppliers, and their own software stacks."
Data Theorem's broad AppSec portfolio protects organizations from data breaches with application security testing and
protection for modern web frameworks, API-driven microservices and
cloud resources. Its solutions are powered by its award-winning Analyzer
Engine, which leverages a new type of dynamic and run-time analysis
that is fully integrated into the CI/CD process, and enables
organizations to conduct continuous, automated security inspection and
remediation. Data Theorem is one of the first vendors to provide a full
stack application security analyzer that connects attack surfaces of
applications starting at the client layers found in mobile and web, the
network layers found in APIs, and the infrastructure layers found in
cloud services.
Availability and Pricing
Supply Chain Secure is available today directly from Data Theorem. Pricing starts at $15,000 USD annually.