Because of high-profile attacks on firms like Solarwinds and Kaseya, as well as open source services like Log4j, software supply chains have become a tempting target for attackers. Now, a software applications security firm claims to have developed the first attack surface management (ASM) system to address risks across the entire application stack, including APIs, cloud services, SDKs, and open source software.
According to the firm, Supply Chain Secure, a SaaS solution from Data Theorem, addresses threats with continuous runtime analysis and dynamic inventory discovery that goes beyond typical source code static analysis and the use of a software bill of materials (SBOM).
“ASM is a new market that’s forming because the old way of dealing with software suppliers, vendor management, and third-party source code is insufficient,” Data Theorem Chief Operations Officer Doug Dooley tells CSO. “We’re seeing that in major problems like Solarwinds, Log4j, and Spring4Shell.”
“We’re bringing out a component that, so far, has been missing in attack surface management,” Dooley adds.
To combat threats, most software supply chain security solutions now rely on vendor management or software composition analysis. That strategy, however, has a flaw in that it frequently lacks access to mobile, web, cloud, and commercial off-the-shelf applications, as well as third-party APIs.
Supply Chain Secure aims to close this gap by providing continuous third-party application discovery as well as dynamic vendor tracking. The software can categorise assets under recognised vendors automatically, allow clients to add new vendors, curate individual assets under any vendor, and notify on policy violations and high embed rates of third-party vendors within important applications.
SBOMs, which are used to identify third-party components in an application, can also benefit from the solution. It accomplishes this by ingesting vendor-provided SBOMs and comparing them to an SBOM generated by Supply Chain Secure based on an application’s runtime analysis. “What generally happens is the vendor SBOM is inaccurate or was accurate at a point in time, so there’s drift from the vendor’s documentation to what’s actually in production,” Dooley explains. “It’s always shocking to customers to see what they have in documentation versus what an attacker can see on the internet.”