Aqua Security targets software supply chain attacks

Development and security teams can now proactively address the most critical software supply chain risks from code through runtime.

Aqua Security has introduced what it says is the industry’s first and only end-to-end software supply chain security solution. The new solution ensures protection across the entire software development lifecycle (SDLC) and helps organisations proactively prevent and stop supply chain attacks on cloud native applications.

Software supply chain attacks are dramatically on the rise, and Aqua data shows a 300% increase year-over-year. The increasing threats are now being recognised by international governments as a security priority; most recently the White House released an executive order to enhance software supply chain security from development.

Aqua identifies software supply chain risks as threats coming from third-party artifacts, open source dependencies, and malicious actors targeting the unique developer toolset and environment. To combat the growing risk to the software supply chain, Aqua is introducing new capabilities to add to its current supply chain solution. These new capabilities make Aqua the only solution in the market that protects against supply chain risk from code all the way through to runtime, across both the application and underlying infrastructure.

“Other vendors miss a piece of the equation,” said Amir Jerbi, CTO and co-founder of Aqua Security. “For example, some solutions focus on the build while others focus on the code and build, but Aqua is the only solution that allows developers to offer proactive security measures across code, build, deploy and runtime phases. With this, we are giving developers and security teams the confidence to continue to build their cloud native application development capabilities and prevent supply chain attacks.”

The Systems Sciences Institute at IBM recently reported that “it costs six times more to fix a bug found during implementation than one identified during design. Furthermore, the cost to fix bugs found during the testing phase could be 15 times more than the cost of fixing those found during design.” The Aqua Software Supply Chain Security Solution provides alerts and acceptance gates along the entire code and build stages to proactively reduce risk as early as possible in the development life cycle. These assurance policies can be automated, further shortening the feedback loop for development and security teams and eliminating these associated costs.

“Attackers are targeting the source code and its dependencies as a way to inject vulnerabilities and backdoors to applications. Aqua’s assurance policies apply proactive security on your software supply chain process and its outcome, identifying and mitigating such risks,” said Joseph Elbaz, head of application security at Grubhub. “This is exactly what is needed to ensure your release quality.”

The first Software Supply Chain Security Solution integrated into a CNAPP

The solution is part of Aqua’s fully integrated Cloud Native Application Protection Platform (CNAPP), the Aqua Platform. As the first CNAPP to include a supply chain solution, Aqua is redefining the CNAPP category with even more integration and end-to-end protection. The Aqua Supply Chain Solution introduces new robust features, including:

Code Scanning: Scan an organisation's code in a matter of minutes without leaving the developer workflow. Powered by Aqua Trivy Premium, the enterprise version of the popular open source universal cloud native security scanner, developers can find and remediate vulnerabilities and other risks within code to deliver safer code faster.

CI/CD Posture Management: Secure your Continuous Integration/Continuous Delivery (CI/CD) tool chain to establish a zero-trust DevOps environment. Enforce Least Privilege Access to reduce security risks and meet compliance requirements. Easily spot and fix dangerous misconfigurations of your DevOps platform (e.g., GitHub, Jenkins, Nexus). Identify insider threats such as the removal of required security checks, bulk changes to user account access, or a change to a sensitive code repository.

Pipeline Security: Identify new or non-compliant CI pipelines and apply customisable security assurance policies across your entire organisation's CI with a single click. Set specific enforcements on your production pipeline to make sure every newly built artifact is signed and scanned for vulnerabilities, secrets and Infrastructure as Code (IaC) misconfigurations.

Next-Generation SBOM: Go beyond basic SBOM generation and record every step and action from the moment a developer has committed the latest code change through the build process up until the new final artifact is generated. With code signing, users can also verify the code history and gain certainty that the code they create is the same code that ends up in the development tool chain.

Open Source Health Assessment: Assess the health and reputation of open source code. Aqua grades every open source package based on quality, maintainability, popularity and risk for supply chain incidents. The solution can automatically prevent risky code from entering the codebase, and developers are notified in real time of potentially dangerous packages.

“The Aqua Platform is undoubtedly the most robust CNAPP in the industry. Adding these new Software Supply Chain Security capabilities to our existing Dynamic Threat Analysis and runtime protection capabilities, we bring the most proactive and holistic defence-in-depth solution that can secure from day one and stop cloud native attacks,” said Jerbi.

The partnership will enable Armadillo’s customers to maintain strong encryption standards, whilst mitigating against malicious activity hidden within encrypted network traffic.
New partnership will allow stor.ai to offer grocers Web Application Firewall (WAF) capabilities to secure e-commerce platforms and prevent cyber attacks quickly and seamlessly.
Majority of employees still rely on username and password authentication.
Illumio, Inc., the Zero Trust Segmentation company, has introduced Illumio Endpoint®, a reimagined way to prevent breaches from spreading to clouds and data centers from laptops.
According to new Venafi research, complexity due to increase, as companies plan to host more than half their applications in the cloud.
Focused on bringing ease of use to IT security automation, ThreatQ TDR Orchestrator addresses industry needs for simpler implementation and more efficient operations.
Although progress has been made, organisations are still paying out.
New research from Forcepoint exposes how CNI cybersecurity professionals need greater support to prevent burnout from the pressure of securing high-threat, high-complexity environments.