Despite the maturity of the AppSec landscape and the array of tools available in the market, security teams continue to struggle with maintaining holistic visibility into their application security posture. One of the areas that needs to be addressed is software supply chain security (SSCS). An expert in that field, Moti Gindi, Chief Product Officer at
Apiiro, sat down with VMblog to discuss the challenge in more detail.
VMblog: By connecting supply chain security risks with other application
risks, Apiiro is now making it possible to identify toxic combinations that
could be devastating to a business. Can you explain more about this new
offering and provide a couple examples of toxic combinations?
Moti Gindi: That's correct. Software supply chain security is a growing
concern for organizations, and there are various tools on the market trying to
address specific risks like pipeline misconfigurations, weak branch protection
rules, or open source vulnerabilities. Where Apiiro can add unique value is by connecting separate
supply chain security risks and application security risks that, when combined,
present highly business-critical risks. These ‘toxic combinations' are what
attackers seek out in the wild to gain unauthorized access to business-critical
systems or sensitive data. An example of such a toxic combination could be an
exposed secret in a branch that allows force push in an application that has
PII data and is deployed to an internet-facing environment.
VMblog: Software Supply Chain Security (SSCS) has been one of the most
talked about topics within cybersecurity over the past year. With more
solutions coming to market to address these concerns around safely delivering
software, can we expect supply chain issues to decrease in 2024?
Gindi: The reality is that developers' reliance on third-party components
isn't going to change-if anything, the level of complexity of the
interconnected systems and software components used in modern applications will
increase. At the same time, hackers will continue their quest to compromise
weak links in that widening software supply chain attack surface. As these
attacks become more sophisticated-especially as we step into the world of
generative AI-the vendor landscape will also become more mature, helping security
teams implement multidimensional approaches to securing their software supply
chains in 2024.
VMblog: Let's get into the weeds of Apiiro SSCS. How exactly does it work?
What makes it unique?
Gindi: Rather than a stand-alone solution, Apiiro's SSCS is actually a
native extension of our ASPM platform. That integrated approach gives our
customers one unified, contextual view of risk across application and software
supply chain components, as well as a single control plane for automation and
governance across the development lifecycle. Our new release focuses on
source and build integrity, providing built-in source control manager (SCM) and
CI/CD pipeline visibility, risk detection and assessment, and governance.
So with a simple read-only SCM integration, and now with deeper
connections to your pipelines, we're able to:
- Build a rich,
continuous inventory of pipelines, repositories, and contributors,
including insights around activity, permissions, and connections.
- Detect SCM and
pipeline risks, like weak branch protection rules and permissions,
pipeline misconfigurations, and pipeline dependency vulnerabilities.
- Uncover toxic
combinations across application and software supply chain components.
- Prioritize these
risks based on the likelihood and impact in the context of your entire
application risk landscape.
- Accelerate
remediation by tying software supply chain risks to their root cause in
code and code owners.
- Assess and enforce
software supply chain governance policies with workflow triggers for SSCS
risks like abnormal commit activity, and pipeline config file
changes.
In addition to providing a single solution for both AppSec and
SSCS, Apiiro's SSCS also benefits from our deep code analysis and runtime
context, enabling prioritization that siloed tools can't provide. Ultimately,
prioritization is the key to optimizing security programs, empowering teams to
focus on what matters and spend less time triaging backlogs.
VMblog: What role do you see GenAI playing in application security? Every
domain of business is being impacted, but what makes security unique is the
sensitivity of the data. Should engineers be reluctant to hand the keys over to
AI?
Gindi: Like many people who work in cybersecurity, I approach the topic
of GenAI from both sides. We must embrace its potential productivity and
innovation gains. But at the same time, there are very serious privacy, legal,
and security concerns that we've barely started to understand the full scope
of.
Because of our proximity to code, development processes, and
AppSec teams, we have been uniquely exposed to some of those concerns and are
working closely with customers to understand how to address them in the short
and long term. We are actually working on new platform capabilities that I'm
excited to speak more about soon, but at the highest level, I think
organizations need to start developing policies around GenAI usage now. We
believe conversations around GenAI usage need to be tightly aligned with application
and software supply chain security initiatives, guided by a strong definition
and understanding of business risk, and driven by a collective drive for
innovation.
##