Orca Security announced new
application security capabilities
that unify security, DevOps and development teams to enable a full
lifecycle approach to securing cloud native applications. New
capabilities that include Static Application Security Testing (SAST),
open-source license detection, and remediation actions driven by
artificial intelligence (AI), introduce a revolutionary approach to
cloud security by connecting development risk and production more
closely than ever before.
The Orca Cloud Security Platform
provides comprehensive security and compliance checks across the full
software development lifecycle, offering code security that includes
software composition analysis (SCA), secrets detection, infrastructure
as code (IaC) security, and container image scanning. In addition, Orca
traces findings from the production environment back to the original
application development artifacts, ensuring security teams can partner
with development and DevOps teams to fix risks quickly.
"There's a symbiotic relationship between securing production and
building secure applications that Orca is intently focused on supporting
and nurturing. With these new capabilities we've found, and seized, the
opportunity for organizations to prevent security issues in production
by both shifting left and generating code to fix issues already found in
production," said Gil Geron, CEO and Co-Founder of Orca Security.
"Changing the way we develop applications to improve security will
eliminate risk in the cloud, and creates tremendous opportunity ahead
for Orca and our customers."
Orca's comprehensive code security scanning is fortified with an
extensive suite of built-in and customizable security policies that
detect issues and block risky builds from proceeding. It prevents
vulnerabilities, misconfigurations, and other risks from ever reaching
production, reducing cloud alerts and saving teams from the most
time-consuming remediations.
The new AppSec features of the Orca Cloud Security Platform include:
-
Static Application Security Testing (SAST). A majority (62%) of organizations have severe vulnerabilities in their code repositories, according to research from Orca's 2024 State of Cloud Security Report.
Addressing vulnerabilities early in the Software Development Lifecycle
(SDLC) is a critical component to mitigating these risks. With a fully
integrated SAST solution, Orca scans custom code against a comprehensive
set of security policies to detect and secure vulnerabilities in
first-party codebases. These policies set guardrails for developers,
enforcing secure coding practices by blocking risky builds and notifying
developers of issues.
-
Open-Source License Detection. The majority of commercial
codebases consist of open-source software (OSS) components because they
boost productivity and streamline workflows. But they also expose
organizations to unknown risks like licensing requirements. Orca's
AppSec solution ensures users can address issues before projects reach
production and also enables them to easily search for licenses in
runtime across all assets and installed packages. It provides full
visibility into each license, its classification, and all relevant
metadata, helping organizations identify potential violations, avoid
substantial legal risks, and support compliance efforts.
-
AI-Driven Remediation for Code. Patching a misconfiguration in
runtime can allow the same risk to surface in future deployments. Yet
fixing issues at their source can prove challenging in complex and
fast-moving cloud-native environments. Orca's AI-Driven Remediation
makes this process fast and seamless with one-click pull requests (PRs)
directly from the Orca Platform. Teams can now identify
misconfigurations and other risks, fix them at the source, and commit
secure changes without friction. Simplifying and accelerating effective
code attribution and remediation across the application lifecycle
dramatically improves cloud and application security. And through native
integration with GitHub, GitLab, and Azure DevOps, users can seamlessly
leverage one-click PRs for their preferred source code management (SCM)
platform.