Checkmarx this week extended the scope of its ability to protect software supply chains with tools that access how secure a repository is and find where application secrets have been shared in a way that is not secure.
Ori Bendet, vice president of product management for Checkmarx, said the Repository Health and Secrets Detection tools are now part of a Checkmarx One platform that already provides software composition analysis (SCA) tools to scan for malicious code in software packages, containers and artificial intelligence (AI) models.
The need to assess the level of security attained by a repository has become a more pressing concern because cybercriminals have become more adept at impersonating legitimate contributors to the software development project, said Bendet. The Repository Health tool makes it possible to, for example, determine whether multifactor authentication (MFA) is being used to verify the identity of contributors.
The Secrets Detection tool, meanwhile, makes it possible to discover application secrets that might have been, for example, shared as plain text via a messaging platform, added Bendet. The challenge that DevSecOps teams regularly encounter is that these secrets can wind up being inadvertently being stored anywhere as members of a development team collaborate to build an application, he noted.
The Checkmarx One is based on a platform that the company gained with the acquisition of Dustico in 2021. Since then, Checkmarx has been steadily extending the capabilities of that core platform to provide a more holistic approach to software supply chain security based on the Supply-chain Levels for Software Artifacts (SLSA) framework, said Bendet. Checkmarx is the only provider of a security platform that implements that framework in its entirety, he added.
In general, Checkmarx provides a multi-tier approach to assessing threats. The first tier is based on a scan that is then augmented using machine learning algorithms and other forms of artificial intelligence (AI) to assess code. Checkmarx security researchers then review findings to verify the nature of the threat, noted Bendet.
There is no doubt that software supply chain security has become a major concern. A Checkmarx survey recently found that 63% of respondents work for organizations that have been the victim of an attack on their software supply chain in the past two years.
It’s not clear how aggressively organizations are moving to secure software supply chains in the wake of some infamous breaches, but a Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. However, 54% of respondents regularly practice code scanning for vulnerabilities during development, while 40% conduct security testing. A full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. At the same time, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as high.
Ultimately, as regulations continue to become more stringent it’s more a question of when and to what degree organizations will improve software supply chain security.
The days when organizations were not held accountable for vulnerabilities in their code that cybercriminals found a way to exploit are all bit over. The issue now is finding the best way to ensure code is secure without unduly slowing down the pace at which modern applications are now being developed.
