Legit Security today added an ability to rate the level of software security that has been attained to its application security posture management (ASPM) platform.
Company CTO Liav Caspi said the scoring system will make it simpler for DevSecOps teams to prioritize remediation efforts based on the severity of the vulnerabilities that have been discovered, the importance of the application to the business and adherence to the policies that are supposed to be enforced.
The Legit Posture Score also incorporates application security best practices and requirements for specific regulations and frameworks, such as the Supply-chain Levels for Software Artifacts (SLSA) or Secure Software Development Framework (SSDF). It is designed to be completely transparent and customizable in a way that also allows organizations to, for example, give more weight to specific controls.
A set of dashboards can also be used to track benchmarks for any number of predefined applications, asset groups, pipelines, or organizational segments.
Ultimately, the goal is to facilitate conversations about the appropriate level of application security that needs to be maintained at a time when IT environments are becoming increasingly complex, said Caspi. Ensuring application security requires a level of cooperation among application developers and cybersecurity experts that today is just too difficult to attain, he noted.
There are millions of potential vulnerabilities that cybercriminals can exploit. For example, a recent analysis of 2.5 million GitHub Actions workflow files belonging to 553,000 organizations and personal users, recently published by Legit Security, uncovered interpolation of untrusted input in more than 7,000 workflows; execution of untrusted code in over 2,500 workflows; and use of untrustworthy artifacts in more than 3,000 workflows.
In the wake of a series of high-profile cyberattacks on software supply chains, Legit Security is making a case for a more proactive approach to DevSecOps using an ASPM platform that discovers these types of issues, hopefully, before they are exploited. Unfortunately, cybercriminals have become more adept at, for example, stealing credentials that provide them with nearly unfettered access to application development environments. Once cybercriminals gain access it then becomes possible to, for example, embed malware in code bases that might not be activated until months later.
On the plus side, however, investments in best DevSecOps practices continue to improve. A Techstrong Research survey of more than 500 DevOps practitioners finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. More than half (54%) said respondents regularly scan code for vulnerabilities during development, while 40% conduct security.
A full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. At the same time, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as high. A total of 62% are investing in application programming interfaces (API) security, with 23% of respondents describing those investments as being high.
No developer wants to wake up one morning to discover a cyberattack has been traced back to a mistake they made. The trouble is that it’s too easy for developers to make a simple mistake that can have catastrophic consequences. It’s up to the DevSecOps teams to ensure that the software supply chain itself is as secure as possible in an era where cybercriminals keenly understand that application security is not nearly as robust as anyone building and deploying software really likes.
