Aqua
Security announced it added pipeline integrity scanning to prevent software supply
chain attacks and assure CI/CD pipeline integrity. Powered by eBPF technology,
Aqua's pipeline integrity scanner detects and blocks suspicious behavior and
malware in real time, preventing code tampering and countering threats in the
software build process. This industry-first solution equips organizations to
feel confident in their ability to strategically stop the most aggressive software
supply chain threats that produce massive attack surfaces.
With the rise of software
supply chain attacks, and a constantly changing threat landscape, organizations
are now being held accountable for incorporating security best practices
throughout their software development lifecycles. Software integrity validation,
one of these best practices, is mentioned as one of the key requirements in
major industry frameworks for supply chain security including SLSA, NIST Secure Software Development Framework and the CIS
Software Supply Chain Benchmark.
"SolarWinds demonstrated the
catastrophic effects of compromising the integrity of the software build
process and the critical need to continuously validate software integrity,"
said Amir Jerbi, CTO of Aqua Security. "Our new pipeline integrity scanner
solves one of the industry's most urgent needs to ensure the integrity of the
modern development process and prevent this type of destructive software supply
chain attack."
Aqua's pipeline integrity
scanner detects suspicious behavior or malware that characterizes a supply
chain attack. The capability also takes advantage of behavioral signatures
produced by the Aqua Nautilus research team to detect zero-day threats based on cloud
native attacks seen in the wild.
After connecting to the build
pipeline, pipeline integrity scanning allows developers to:
- Monitor the build pipeline and define a baseline for how
the build operates. Teams can understand
how their build pipeline runs and what is typical network activity, file access
patterns and process activity in known good environments.
- Detect any drifts from the baseline. Once the baseline is established, the scanner can detect
any drift from this state and alert teams on anything unusual and anomalous
(including unexpected file modification, establishing communication with a
suspicious URL, usage of a dropped malicious executable) to guarantee the
integrity of the build process.
- Minimize attack vectors. Close security gaps in CI/CD pipelines by continuously scanning for
pipeline drift. This allows teams to prevent the tampering of code in the
earliest stages of the software build process and maintain dev tool integrity.
- Set up assurance policies. To scale safe development practices and ensure software
integrity, assurance policies can be implemented to block completion of new
builds that show signs of suspicious activity. This gives developers the
ability to react in the development process where it is easier to fix.
"This is the first solution of
its kind," adds Jerbi. "Other software supply chain security tools only focus
on code scanning or static analysis of build artifacts, such as a software bill
of materials or SBOM. These are important but have proven insufficient to
detect and stop supply chain attacks of this type."
Powered by eBPF Technology
Aqua's pipeline integrity
scanner leverages Tracee, the company's robust open source runtime security and
forensics sensor for Linux. Thanks to its lightweight capabilities, eBPF
technology can provide visibility into the build's runtime and detect threats
in real time with minimal disruption. By detecting and stopping drift of the
original build through eBPF-based scanning and policies, teams can protect
their software from unauthorized access and prevent advanced supply chain
attacks.
Aqua is the first to introduce
this dynamic capability that complements its existing shift-left capabilities
including code scanning, CI/CD posture management, and next-gen SBOM to provide
customers with the most comprehensive protection on the market.
Pipeline integrity scanning is
part of its Software
Supply Chain Security solution that
secures code, all development infrastructure, and pipeline processes so that
organizations can build and ship innovation faster and more securely.
Delivered by the Aqua Cloud Security Platform, a cloud native application
protection platform (CNAPP), it improves operational efficiency by connecting
cloud to dev and tracing runtime risks to the code and developer who can fix
them.