Apiiro introduced Code-to-Runtime, a new, innovative capability
using Apiiro's deep code analysis (DCA) technology to map software architecture
and trace all types of software components including APIs, open source software
(OSS), and containers to code owners while enriching it with business impact.
Code-to-Runtime is seamless and agentless, requiring only API-based integration
to Source Code Management (SCM) and runtime environments without the need for
manual tagging, labeling, or other methods. With deeper insight into software
architecture, users can now deliver actionable insights to the right developer,
making risk prioritization, remediation, and prevention more efficient.
Application security (AppSec) and software
development teams allocate valuable time and resources to tracing issues raised
by runtime scanners back to the software development and/or DevOps owners.
While automated methods can be implemented in an attempt to streamline this
process, developers and/or DevOps still need to manually add tags and labels to
CI/CD pipelines or use specific naming conventions to identify how code is
being deployed. This process requires ongoing education and the addition of automation
flows to ensure the chosen method is effectively at use, reducing cost and
risks.
With autonomous Code-to-Runtime mapping, Apiiro
automatically performs a deep code analysis on code repositories to identify
all types of code components including APIs, OSS dependencies, code modules,
DataModels, and more. In addition, it analyzes container images and identifies
similarities with no setup or intervention required. With Code-to-Runtime,
customers can now:
- Streamline
risk prioritization and remediation: Prioritize risks detected at the
development phase with runtime context and remediate risks detected in
runtime with enriched code context. Apiiro provides insight into where
code components or toxic combinations of risky code components are
deployed using agentless, API-based integrations in customer Kubernetes
clusters or CSPM vendors to identify internet exposure. This connection
enriches runtime risks with code context including the code owner and
locations within code where the vulnerability needs to be addressed to
enable successful remediation. This provides AppSec engineers and software
developers with the deepest insights into software architecture and full
exposure paths including related pipelines that build and deploy the code
repository or code module.
- Reduce
friction between AppSec, GRC, and development teams: AppSec solutions on
the market today don't have a deep enough understanding of software
architectures from code-to-runtime that enables developers to effectively
deliver software to production. Apiiro's deep code analysis (DCA) combined with
its Risk Graph engine implements guardrail at
the design, development, and delivery phases, eliminating time developers
are blocked by silo application security tools or other ASPM platforms by
85%.
- Reduce
alert fatigue:
Correlate and group different versions of the same container image to
create a single risk for a vulnerability detected in multiple versions.
Apiiro also correlates between the container risk and the code risk found
by software composition analysis (SCA) scanners.
- Gain
single pane of glass into Artifact inventories: Achieve complete
visibility into complex software architecture with a single, risk-based
pane of glass view. Apiiro deduplicates Artifact inventories by pulling
information from security tools running in continuous integration,
registries, and deployed containers. Information is then correlated with
deployment insights from Kubernetes clusters and/or CSPMs to deduplicate
and enrich with relevant code context.
"Apiiro is committed to enabling autonomous
security across the entire software development lifecycle, and true
code-to-runtime matching goes beyond containers and cloud environments," said
Moti Gindi, chief product officer at Apiiro. "Our platform understands that not
every code component is relevant to what's running in production and not every
runtime component is relevant to the codebase or person responsible for it.
Code-to-Runtime delivers the level of precision required to gather meaningful
insights and prevent the influx of false positives that plague other solutions
on the market. As evidenced by our partnership with Akamai earlier this year,
we're delivering a holistic approach, matching APIs in code to API endpoints in
runtime. This not only enhances overall application security, it enables teams
to focus on the most critical issues to foster a more secure and efficient
development lifecycle."
"Apiiro's code-level API inventory and security
seamlessly complement Akamai's runtime API security, creating an end-to-end
approach that spans from development to production," said Patrick Sullivan,
chief technology officer, security at Akamai. "With Apiiro's code-to-runtime
matching, we can connect runtime API risks directly back to the code and its
owners, allowing us to streamline remediation and reduce Mean Time to Remediate
(MTTR). This collaboration gives us a comprehensive view of our API landscape and
ensures we focus on critical risks, maximizing efficiency and security and
reducing costs across the entire lifecycle of our applications."
"Apiiro's new code-to-runtime matching
feature brings critical runtime risks into direct context with the code itself,
offering valuable insights on where vulnerabilities may need attention and who
should address them," said James Brierley, senior security researcher at
GEOTAB. "This approach is a game-changer for prioritization, showing if a
vulnerability exists in code actively used in production-allowing us to focus
on the most pressing risks first. By integrating deep code-based matching,
we're poised to streamline our process and save resources by connecting runtime
issues directly to the right teams."