Apiiro Adds Integrated Software Supply Chain Security To Its Platform

Guest: Moti Gindi (LinkedIn)
Company: Apiiro (Twitter)
Show: Newsroom

An organization’s software supply chain is not only about its open-source vulnerabilities and risks but also about the way that it manages your code. The CI/CD pipelines, artifactory content, and all the elements in the background that help build, deploy, and manage the code are possible points of attack and sources of risk.

Apiiro, a cloud-based application security platform, has added new capabilities “to help identify, prioritize, remediate and protect from supply chain risks that arises from the way we build, deploy and manage code,” said Chief Product Officer Moti Gindi in the latest episode of TFiR: Newsroom. Gindi shares the details of a new set of capabilities that were added to their platform to provide software supply chain security.

What’s new:

Apiiro is a cloud-based application security platform that helps application security owners, developers, and engineering owners to manage their security posture around software development and understand how their code is being built.
The company recently announced that they’re adding a new set of capabilities to help identify, prioritize, remediate, and protect from supply chain risks.
This integrated software supply chain security (SSCS) is added into its application security posture management (ASPM) to natively provide source control manager (SCM) and CI/CD pipeline visibility, risk assessment, toxic combination detection, and governance.

On software supply chains:

A large percentage of the code that is being developed today is based on open source. People are getting it from the outside and incorporating it into their own code. They know that finding vulnerabilities and understanding the risks with this code are part of implementing secure development.
However, your software supply chain is not just about your open-source vulnerabilities and risks. It is also the way that you manage your code. The CI/CD pipelines, artifactory of containers, and all the elements that are in the background that help you build, deploy, and manage the code are points of attack and sources of risk.
You need to not only look at the proprietary code that you developed and the open-source code that you inherited, but also the entire end-to-end way in which this code is being managed, developed, and deployed.
This includes being able to detect and protect from misaligned developer/malicious insider behavior.

On application security posture management (ASPM):

There is an increase in attacks by malicious insiders or attackers that are somehow controlling the way that your code is being built.
Regulations from the Cybersecurity and Infrastructure Security Agency (CISA), Center for Internet Security (CIS), and National Institute of Standards and Technology (NIST) are looking at the same problem from different angles and are putting more and more liability and responsibility on companies to ensure that not only the software does not have vulnerabilities, but that the way that it is built is safe and controlled.
Regulations are a very effective way to push companies to do things that are otherwise hard to invest in, i.e., understanding your supply chain and securing it.

On the participation of public/private sector and stakeholders on supply chain security:

Owning the security of an application is a combination of the applicative code owners (the ones that are writing the code and the suppliers (the ones that are supplying the secure components).
Per CISA in the United States, and Gindi believes this is the right direction, the final responsibility of the security of the application, which includes the components of the application, the supply chain of this application, and also the processes that built it, rests on the one that provided this application.
The company (board/CEO level) needs to proactively attest that they have the right processes, the right tools, and the outcome of providing secure software. It puts a high bar on all of Apiiro’s customers, but it’s the right way to push quality or security upstream.

This summary was written by Camille Gregory.

You may also like

Apiiro wants to be the Diamond Standard for Application Security Posture Management

Apiiro announces new integration program SHINE

Akamai further fortifies its API Security with latest PCI DSS Compliance

If Iron Man has Jarvis, Transposit has Tanya

Bringing vCluster to Rancher is healthy competition: Lukas Gentele

How to choose best observability practices: Julian Fischer