Cycode launches a new generation of SCA with full pipeline composition analysis to provide comprehensive software supply chain security


Enter Wall Street with StreetInsider Premium. Claim your one week free trial here.


Addition of SCA, SAST, and container scanning consolidates and enhances eight core AppSec tools on Cycode’s market-leading platform

Enables AppSec teams to identify vulnerabilities in all phases of the SDLC and determine deployment locations for rapid remediation

LAS VEGAS, Aug. 09, 2022 (GLOBE NEWSWIRE) — Cycode, the leader in software supply chain security, today announced the launch of its next-generation software composition analysis (SCA) solution and expanding its platform to add static applications security testing (SAST) and container analysis. Cycode’s platform enhances AppSec tools with its Knowledge Graph, which provides context of the Software Development Life Cycle (SDLC) to improve accuracy and reduce Mean Time To Resolution (MTTR). Cycode now includes the top eight Knowledge AppSec tools to provide the most advanced and comprehensive AppSec platform available. Cycode’s capabilities exceeded existing solutions in breadth and depth, while providing net new capabilities, such as pipeline composition analysis to identify many different types of vulnerable dependencies across the SDLC (not just in source code), where vulnerable dependencies are deployed. and whether they are usable or not.

Cycode’s core technology is a graph database called Knowledge Graph. The Knowledge Graph structures and correlates data from SDLC tools and phases. By first seeking to understand customer SDLCs, the Knowledge Graph provides the context security tools need. Additionally, the Knowledge Graph also ingests data from every AppSec tool built into the platform to better understand risk and coordinate threat responses. Not only do SCA, SAST, and container scanning benefit from the Knowledge Graph, but their additions also improve Cycode’s platform as they bring new data into the Knowledge Graph, which increases the efficiency of all other tools in the platform.

“At its core, the software supply chain security problem is a result of the shortcomings of traditional AppSec tools,” remarked Lior Levy, CEO of Cycode. “There are many ways to attack software supply chains because the attack surface is diverse and vulnerable to many different types of threats. Traditional AppSec tools only look at narrow segments of an SDLC individually. AppSec doesn’t have the equivalent of a central nervous system – something to collect, interpret, and respond to security information across the entire SDLC.

Securing all the ways software supply chains can be breached requires coordination across a wide range of AppSec tools. Cycode’s eight AppSec tools identify vulnerabilities and harden software delivery pipelines. Cycode’s SCA, SAST, Infrastructure as Code, and Container scan identifies vulnerabilities in custom code, open source components, containers, infrastructure as Code, and other pipeline components. At the same time, Cycode empowers software delivery pipelines with tools to centrally manage governance and security policy in developer tools, identify code leaks, hard-coded secrets, misconfigurations and code tampering.

“The value of Cycode’s Knowledge Graph really shines in today’s macro environment where many CISOs are being asked to do more with less,” commented Justinian Fortenberry, CISO of Zip Co Limited. “Not only does Cycode significantly reduce AppSec tool costs through consolidation, Cycode’s Knowledge Graph helps coordinate every tool on the platform to uniquely reduce risk, such as identifying when leaked code contains secrets such as API keys or passwords.”

As software supply chain attacks have increased in frequency, SCA has been at the center of many organizations’ AppSec responses. Yet SCA has too narrow a scope to solve software supply chain attacks, as evidenced by the continued frequency of software supply chain breaches. Legacy SCA only looks for vulnerabilities in source code dependencies, an attack vector that represents less than 10% of the software supply chain’s total attack surface.

In contrast, Cycode’s next-generation SCA identifies vulnerabilities in dependencies and other security issues across the entire software delivery pipeline, not just in source code. Cycode calls it Pipeline composition analysiss. In addition to identifying vulnerable dependencies, Pipeline Composition Analysis also understands where dependencies are deployed and whether or not they are exploitable.

In addition to source code dependencies, Cycode’s pipeline composition analysis also secures:

  • Create modules such as GitHub Actions or GitLab Runners
  • Build module dependencies (e.g. open source libraries introduced by GitHub Actions)
  • SDLC tools (e.g. GitHub, Jenkins, CircleCI, JFrog, etc.) and their versions, configurations and security checks
  • SDLC tool plugins and extensions (e.g. vulnerable Jenkins plugins or CircleCI orbs)
  • Infrastructure-as-code (IaC) model configurations and dependencies introduced by IaC files

Cycode’s pipeline composition analysis surpasses SCA’s capabilities in several other ways, including prioritization and remediation. For example, legacy SCA solutions can only identify lines of code where vulnerabilities exist in source code, while Cycode can also identify where vulnerable dependencies are deployed in test and production environments. Without pipeline composition analysis, permanently removing all instances of vulnerable libraries such as Log4J from production is an error-prone and time-consuming manual process that hampers rapid remediation efforts.

“Cycode’s deep understanding of our entire deployment pipeline, combined with their built-in SCA capabilities, means that Cycode alerts to both vulnerable dependencies and where they are being deployed,” said Zack Padilla, Kyriba’s Senior Cybersecurity Engineer.

Cycode’s pipeline composition analysis also provides information about which components are facilitating a vulnerability or security issue, how pipeline components are related to each other, and whether they are present in environments where they exist. ‘execution. This unique capability allows Cycode to prioritize remediation efforts based on actionable issues in production.

“The value of Cycode lies in our platform,” said Dor Atias, vice president of engineering and co-founder of Cycode. “The platform is designed to improve AppSec tools, but also to facilitate and accelerate the development of new tools. This gives Cycode’s customers the best of both worlds: an ever-expanding portfolio of best-in-class point solutions and the operational efficiency of consolidation tools on the same Knowledge Graph powered platform. »

Cycode is showcasing these new software supply chain features at this year’s Black Hat conference on August 10-11. Stop by the Cycode booth (#IC147) to learn more or see the industry’s most comprehensive AppSec platform in action.

About CycodeCycode is a comprehensive supply chain security software solution that provides visibility, security, and integrity across all phases of the SDLC. The Cycode platform enhances AppSec tools with its Knowledge Graph, which provides full SDLC context to improve accuracy and reduce mean time to resolution (MTTR). Cycode merges the top eight AppSec tools into the industry’s most advanced and comprehensive AppSec platform. By correlating data between these tools, Cycode provides new functionality, such as pipeline composition analysis, which identifies vulnerable dependencies and security issues missed by legacy tools such as SCA and SAST, across SDLC; identifies vulnerable dependency locations and prioritizes threats based on their exploitability.

Media Contact:Montner Tech PR Deb Montner [email protected]

main logo

Source: Cycode

Comments are closed.