Virtualization Technology News and Information
Article
RSS
VMblog Expert Interview: Moti Gindi of Apiiro Explores Software Supply Chain Security (SSCS)

interview-apirro-mgindi 

Despite the maturity of the AppSec landscape and the array of tools available in the market, security teams continue to struggle with maintaining holistic visibility into their application security posture.  One of the areas that needs to be addressed is software supply chain security (SSCS).  An expert in that field, Moti Gindi, Chief Product Officer at Apiiro, sat down with VMblog to discuss the challenge in more detail.

VMblog:  By connecting supply chain security risks with other application risks, Apiiro is now making it possible to identify toxic combinations that could be devastating to a business. Can you explain more about this new offering and provide a couple examples of toxic combinations?

Moti Gindi:  That's correct. Software supply chain security is a growing concern for organizations, and there are various tools on the market trying to address specific risks like pipeline misconfigurations, weak branch protection rules, or open source vulnerabilities. Where Apiiro can add unique value is by connecting separate supply chain security risks and application security risks that, when combined, present highly business-critical risks. These ‘toxic combinations' are what attackers seek out in the wild to gain unauthorized access to business-critical systems or sensitive data. An example of such a toxic combination could be an exposed secret in a branch that allows force push in an application that has PII data and is deployed to an internet-facing environment.

Apiiro-SSCS 

VMblog:  Software Supply Chain Security (SSCS) has been one of the most talked about topics within cybersecurity over the past year. With more solutions coming to market to address these concerns around safely delivering software, can we expect supply chain issues to decrease in 2024?

Gindi:  The reality is that developers' reliance on third-party components isn't going to change-if anything, the level of complexity of the interconnected systems and software components used in modern applications will increase. At the same time, hackers will continue their quest to compromise weak links in that widening software supply chain attack surface. As these attacks become more sophisticated-especially as we step into the world of generative AI-the vendor landscape will also become more mature, helping security teams implement multidimensional approaches to securing their software supply chains in 2024.

VMblog:  Let's get into the weeds of Apiiro SSCS. How exactly does it work? What makes it unique? 

Gindi:  Rather than a stand-alone solution, Apiiro's SSCS is actually a native extension of our ASPM platform. That integrated approach gives our customers one unified, contextual view of risk across application and software supply chain components, as well as a single control plane for automation and governance across the development lifecycle.  Our new release focuses on source and build integrity, providing built-in source control manager (SCM) and CI/CD pipeline visibility, risk detection and assessment, and governance.  

So with a simple read-only SCM integration, and now with deeper connections to your pipelines, we're able to: 
  1. Build a rich, continuous inventory of pipelines, repositories, and contributors, including insights around activity, permissions, and connections.
  2. Detect SCM and pipeline risks, like weak branch protection rules and permissions, pipeline misconfigurations, and pipeline dependency vulnerabilities.
  3. Uncover toxic combinations across application and software supply chain components.
  4. Prioritize these risks based on the likelihood and impact in the context of your entire application risk landscape.
  5. Accelerate remediation by tying software supply chain risks to their root cause in code and code owners.  
  6. Assess and enforce software supply chain governance policies with workflow triggers for SSCS risks like abnormal commit activity, and pipeline config file changes. 

In addition to providing a single solution for both AppSec and SSCS, Apiiro's SSCS also benefits from our deep code analysis and runtime context, enabling prioritization that siloed tools can't provide. Ultimately, prioritization is the key to optimizing security programs, empowering teams to focus on what matters and spend less time triaging backlogs.

VMblog:  What role do you see GenAI playing in application security? Every domain of business is being impacted, but what makes security unique is the sensitivity of the data. Should engineers be reluctant to hand the keys over to AI?

Gindi:  Like many people who work in cybersecurity, I approach the topic of GenAI from both sides. We must embrace its potential productivity and innovation gains. But at the same time, there are very serious privacy, legal, and security concerns that we've barely started to understand the full scope of.

Because of our proximity to code, development processes, and AppSec teams, we have been uniquely exposed to some of those concerns and are working closely with customers to understand how to address them in the short and long term. We are actually working on new platform capabilities that I'm excited to speak more about soon, but at the highest level, I think organizations need to start developing policies around GenAI usage now. We believe conversations around GenAI usage need to be tightly aligned with application and software supply chain security initiatives, guided by a strong definition and understanding of business risk, and driven by a collective drive for innovation.

##

Published Wednesday, December 06, 2023 8:01 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2023>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456