Apiiro announced the addition of integrated software supply
chain security (SSCS) into its platform. Now, Apiiro's ASPM is extended to
natively provide source control manager (SCM) and CI/CD pipeline visibility,
risk detection and assessment, and governance.
Apiiro's
ultra-connected and holistic approach to software supply chain security also uniquely enables the
detection of chained risks-known as toxic combinations-across application and
software supply chain components and unifies context across code, developer
behavior, AppSec findings, and supply chain posture.
"We believe
software supply chain security is a core component of ASPM and that the key to protecting modern applications is
to provide end-to-end integrity across software, processes, and tools from code
to runtime," said Moti Gindi, Chief Product Officer at Apiiro. "Taking this
connected approach enables our platform to bridge gaps left by siloed security
testing tools and enable application security teams to more efficiently secure
their development and delivery to the cloud."
With the
addition of SSCS, Apiiro enables application security teams to more efficiently
secure their applications and software supply chains in a single, end-to-end
solution with:
- Complete Supply Chain Visibility: Provides complete and continuous visibility into all
source code management (SCM) repositories and CI/CD pipelines, including
shadow pipelines as part of Apiiro's eXtended software bill of materials (XBOM). Insights include their configurations,
connected plugins, dependencies, associated risks, and how they change
over time.
- Supply Chain Risk Assessment: Detects and assesses CI/CD and SCM risks such as
missing or weak branch protection rules, abnormal commit behavior, risky
admin or developers permissions, and weakly configured pipelines-all
contextualized based on application and business risk and following CIS
and SLSA best practices.
- Toxic Combinations Detection: Connects supply chain security risks with other
application security risks that, when combined, may present highly
business-critical ‘toxic combinations' that attackers seek out to gain
unauthorized access to business-critical systems or sensitive data. An
example of such a toxic combination is an exposed valid secret found in a
branch that allows force push and is part of an application that handles
PII data and is deployed to an internet-facing environment.
- Risk-Based Remediation and Prevention: Enables policies and automation workflows to trigger
remediations, processes such as agile threat models or penetration tests,
and developer guardrails such as commenting on a pull/merge request or
blocking a build. With Apiiro's risk-based approach, AppSec teams can
fine-tune the action based on the level of business risk to avoid
surfacing noisy false positives or low-impact findings.
"Since
introducing Apiiro's Software Supply Chain Security at Paddle, we have been
able to ensure pipelines are set up securely and have improved insights into
the configuration of our source control repositories-a capability not provided
by traditional AppSec tools," said Colin Barr, Senior Engineering Manager of
Application Security at Paddle. "This heightened visibility, coupled with
Apiiro's risk-based prioritization and policy engine, instills confidence in
our capability to continually measure supply chain risk and assess against best
practice moving forward."