Highlights:
- Software Composition Analysis gives customers persistent insight into third-party software libraries and their related vulnerabilities, encompassing direct and indirect dependencies.
- Lacework’s latest code security features are crafted to proactively identify and address security issues before the code is deployed, preventing exposure in real-world scenarios.
The cloud security startup Lacework Inc. has revealed new code security features that give their clients complete visibility over the course of the application development lifecycle.
By detecting security flaws before the code is deployed, Lacework’s new code security features aim to stop security flaws from being discovered in the wild. The service also helps identify issues early in the application lifecycle and expedite resolution.
The launch embodies Lacework’s conviction that attaining rapid security outcomes necessitates ongoing visibility and context ensuring visibility into the whereabouts of every software package and capturing correlated data across the application lifecycle is essential. The proposed strategy enables security teams to enhance efficiency by eradicating the requirement to integrate data and insights from disparate sources. Instead, it consolidates them into smaller tools that provide greater value.
This release includes two new types of static program analysis: Static Application Security Testing and Software Composition Analysis.
Software Composition Analysis gives customers persistent insight into third-party software libraries and their related vulnerabilities, encompassing direct and indirect dependencies. Beyond the capabilities of basic SCA, the approach provides teams with continuous visibility into the precise locations in the code where vulnerable functions are used, along with information about how frequently each function is referenced, who brought it in, and who is in charge of fixing it. The company claims that customers receive an understanding of open-source license risk, continuous visibility into their software supply chain, and an always-up-to-date software bill of materials for every application.
With SCA included in the Lacework platform, customers can track a vulnerable package’s entire lifecycle, including its use in source code and its activity within any cloud-native workload. The Code Aware Agent extension for the Lacework runtime agent is used to detect active vulnerabilities.
Static Application Security Testing (SAST) supplements SCA, offering a comprehensive set of code security capabilities to assist organizations in comprehending potential vulnerabilities within their first-party code. SAST detects weaknesses in the source code of in-house code that attackers might exploit to circumvent security measures, execute malicious commands, or extract sensitive data. This tool delivers customers an automated and user-friendly secure code review, facilitating actionable insights for entry-level and senior security analysts.
SAST provides application security engineers insight into intricate vulnerabilities in their highly exposed, internet-facing applications. Lacework offers a comprehensive model for each application, monitoring the trajectory of untrusted data to identify and eliminate zero-day or as-yet-unpatched vulnerabilities. This proactive approach aims to mitigate potential risks, including exploiting such vulnerabilities leading to threats like SQL injection.