Cycode Launches Subsequent-gen SCA That includes Full Pipeline Composition Evaluation to Ship Full Software program Provide Chain Safety

Addition of SCA, SAST and container scanning consolidates and improves the highest eight AppSec instruments on Cycode’s market-leading platform

Permits AppSec groups to determine vulnerabilities in all phases of the SDLC and decide deployment areas for fast remediation

LAS VEGAS, Aug. 09, 2022 (GLOBE NEWSWIRE) — Cycode, the chief in software program provide chain safety, right this moment introduced the launch of its next-gen software program composition evaluation (SCA) answer and the growth of its platform so as to add static utility safety testing (SAST) and container scanning. Cycode’s platform makes AppSec instruments higher via its Data Graph, which supplies context of the software program improvement lifecycle (SDLC) to enhance accuracy and cut back mean-time-to-remediation (MTTR). Cycode now consists of the highest eight Data AppSec instruments to ship probably the most superior and complete AppSec platform out there. Cycode’s capabilities have moved past current options when it comes to breadth and depth, whereas additionally offering internet new capabilities, like Pipeline Composition Evaluation to determine many various kinds of susceptible dependencies throughout all the SDLC (not simply in supply code), the place susceptible dependencies are deployed and whether or not or not they’re exploitable.

Cycode’s core know-how is a graph database known as the Data Graph. The Data Graph constructions and correlates information from the instruments and phases of the SDLC. By first looking for to grasp prospects’ SDLCs, the Data Graph delivers the context safety instruments want. Moreover, the Data Graph additionally ingests information from each AppSec instrument constructed into the platform to raised perceive danger and coordinate responses to threats. Not solely do SCA, SAST and container scanning profit from the Data Graph, however their additions additionally enhance Cycode’s platform as a result of they contribute new information into the Data Graph, which will increase the effectiveness of each different instrument within the platform.

“At its core, the software program provide chain safety downside is a results of the deficiencies in conventional AppSec instruments,” remarked Lior Levy, CEO of Cycode. “There are lots of methods to assault software program provide chains as a result of the assault floor is diverse and susceptible to so many various kinds of threats. Conventional AppSec tooling solely appears to be like at slender segments of an SDLC individually. AppSec lacks the equal of a central nervous system– one thing to gather, interpret and reply to the safety data throughout all the SDLC.”

Securing all of the methods software program provide chains will be breached requires coordination throughout a broad set of AppSec instruments. Cycode’s eight AppSec instruments determine vulnerabilities and harden software program supply pipelines. Cycode’s SCA, SAST, Infrastructure as Code scanning and container scanning determine vulnerabilities in customized code, open supply elements, containers, Infrastructure as Code and different pipeline elements. On the similar time, Cycode hardens software program supply pipelines with instruments to centrally handle governance and safety coverage throughout improvement instruments, determine code leaks, hardcoded secrets and techniques, misconfigurations and code tampering.

“The worth of Cycode’s Data Graph actually shines within the present macroeconomic setting when many CISOs are being requested to do extra with much less,” commented Justinian Fortenberry, CISO of Zip Co Restricted. “Not solely does Cycode considerably cut back AppSec instrument prices via consolidation, however Cycode’s Data Graph helps coordinate every instrument on the platform to cut back danger in distinctive methods reminiscent of figuring out when leaked code comprises secrets and techniques like API keys or passwords.”

As software program provide chain assaults have elevated in frequency, SCA has been a focus of many organizations’ AppSec responses. But, SCA is just too slender in scope to resolve software program provide chain assaults, as evidenced by the continued frequency of software program provide chain breaches. Legacy SCA solely appears to be like for vulnerabilities in supply code dependencies, an assault vector that makes up lower than 10% of the full software program provide chain assault floor.

In distinction, Cycode’s next-gen SCA identifies vulnerabilities in dependencies and different safety points throughout all the software program supply pipeline, not simply supply code. Cycode calls this Pipeline Composition Evaluations. Along with figuring out which dependencies are susceptible, Pipeline Composition Evaluation additionally understands the place dependencies are deployed and whether or not or not they’re exploitable.

Along with supply code dependencies, Cycode’s Pipeline Composition Evaluation additionally secures:

  • Construct modules reminiscent of GitHub Actions or GitLab Runners
  • Construct modules’ dependencies (eg, open supply libraries launched by GitHub Actions)
  • SDLC instruments (eg, GitHub, Jenkins, CircleCI, JFrog, and many others.) in addition to their variations, configurations, and safety controls
  • Plugins and extensions to SDLC instruments (eg, susceptible Jenkins plug-ins or CircleCI orbs)
  • Infrastructure as Code (IaC) template configurations and dependencies launched by IaC information

Cycode’s Pipeline Composition Evaluation surpasses SCA capabilities in quite a few different methods together with prioritization and remediation. For instance, legacy SCA options can solely determine the traces of code the place vulnerabilities exist in supply code, whereas Cycode can even pinpoint the place susceptible dependencies are deployed in check and manufacturing environments. With out Pipeline Composition Evaluation, definitively eradicating all cases of susceptible libraries like Log4J from manufacturing is an error inclined and time-consuming handbook course of that hinders fast remediation efforts.

“Cycode’s deep understanding of our complete deployment pipeline, mixed with their built-in SCA capabilities, means Cycode alerts on each susceptible dependencies and the place they’re deployed,” mentioned Zack Padilla, Lead Cybersecurity Engineer of Kyriba.

Cycode’s Pipeline Composition Evaluation additionally yields insights on what elements facilitate a vulnerability or safety concern, how pipeline elements relate to one another and if they’re current in runtime environments. This distinctive functionality makes it potential for Cycode to prioritize remediation efforts primarily based on which points are exploitable in manufacturing.

“The worth of Cycode is in our platform,” mentioned Dor Atias, VP of Engineering and co-founder of Cycode. “The platform is designed to make AppSec instruments higher, but additionally to make creating new instruments simpler and quicker. This provides Cycode prospects the most effective of each worlds: a portfolio of best-in-class level options that’s all the time increasing and the operational effectivity of consolidating instruments on the identical Data Graph-powered platform.”

Cycode is exhibiting these new software program provide chain capabilities at this 12 months’s Black Hat Convention on August 10-11. Cease by the Cycode sales space (#IC147) to be taught extra or see the business’s most full AppSec platform in motion.

About Cycode
Cycode is an entire software program provide chain safety answer that gives visibility, safety and integrity throughout all phases of the SDLC. The Cycode platform makes AppSec instruments higher via its Data Graph, which supplies an entire context of the SDLC to enhance accuracy and cut back mean-time-to-remediation (MTTR). Cycode merges the highest eight AppSec instruments into the business’s most superior and complete AppSec platform. By correlating information throughout these instruments Cycode provides internet new capabilities, like Pipeline Composition Evaluation which identifies susceptible dependencies and safety points missed by legacy instruments like SCA and SAST—throughout all the SDLC; pin-points susceptible dependency areas and prioritizes threats by exploitability.

Media Contacts:
Montner Tech PR
Deb Montner
[email protected]


Primary Logo