Lacework Reduces Security Friction for Developers, Introduces Smart Fix Automated Remediation


Lacework, the data-driven security company, today announced a range of updates to its code security offering headlined by Smart Fix, a new capability for automated risk remediation. Initially released to identify and navigate common vulnerabilities and exposures (CVEs) in third-party and open-source software, Smart Fix will later extend to the full Lacework platform to improve remediation across the entire cloud-native application lifecycle.

Last November, Lacework introduced its code security offering which unified code and cloud security, and enabled enterprises to accelerate the delivery of secure cloud applications. With that release, Lacework introduced two forms of code analysis as nodes in its cloud native application protection platform (CNAPP): software composition analysis (SCA) evaluates third-party code for CVEs, while static application security testing (SAST) covers common weakness enumeration (CWE) for first-party code.

The Lacework approach to code security is unique and goes beyond basic functionality. It gives teams continuous visibility into exactly where vulnerable functions are used in the code, how often each vulnerability is referenced, and whether they are exploitable in running workloads. The approach creates unique value for customers, who gain an always-up-to date software bill of materials (SBOM) for every direct and transient dependency within their software supply chain, and a keen understanding of open-source license risk.

Lacework SAST uses a sophisticated set of precise techniques to analyze call chains and control paths of an application, simplifying a security domain in which traditional tools provide noisy results, false positives, and missed weaknesses. The system learns when a developer has added compensating controls to mitigate risk and the Lacework platform’s highly-configurable engine allows security engineers to easily customize and add rules to meet the specific needs of their codebases. Lacework SAST is both fast and accurate, with low false positives and negatives.

Ultimately, the Lacework approach to code security empowers developers to quickly secure third-party and first-party code, and security teams to scale expert reviews to millions of lines of code per minute for their most exposed internet-facing applications.

Now, with Lacework Smart Fix, the unparalleled speed and accuracy of Lacework code security comes with automatic remediation for third-party code vulnerabilities.

“The new Smart Fix technology developed at Lacework aims to reduce security vulnerability and risk remediation time by 10x to 100x by automating manual steps currently performed by developers, providing additional intelligence, and leveraging Lacework’s powerful code-to-cloud platform,” said Patrice Godefroid, Distinguished Engineer at Lacework.

Smart Fix for third-party software

Lacework Smart Fix is the next step in the company’s commitment to simplifying cloud security. With Smart Fix for third-party software, Lacework facilitates remediation by finding the smallest upgrade path that remediates all current and potential vulnerabilities known about the third party code.

Lacework Smart Fix for third party software tailors remediation guidance for the developer. Traditional SCA products operate from a per-CVE lens instead of rolling up guidance for all CVEs in a package and providing a singular recommendation. This means that if a code package has multiple CVEs, each can provide conflicting remediation guidance which snowballs into the following problems:

  • Poor vulnerability remediation guidance from the source – patching zero-days as they are defined is a whack-a-mole exercise. According to the National Vulnerability Database, there are 1300 new vulnerabilities per month on average registered in public databases. Many times, older CVEs do not have updated guidance for these new zero-days, adding tremendous overhead to developers working to patch findings from traditional SCA solutions.
  • Overwhelming vulnerability noise – typically, there are at least two to five CVEs per package, making it difficult to identify the shortest path to remediating current and future potential vulnerabilities.

Lacework Smart Fix for third party software solves the above problems. It automatically evaluates each potential fix for a customer’s vulnerable package and subsequent package versions to determine the optimal fix. This ensures that not only the identified CVEs are patched but also any other potential vulnerabilities known to affect the package. Developers will have access to guided recommendations from Smart Fix directly within their code base through Lacework integrations.

For both developers and security engineers, Smart Fix helps avoid expensive patching exercises and provides clear guidance for remediation that will have the biggest positive security outcomes.

Over time, Lacework will extend its Smart Fix technology to intelligently reduce risk across other security domains including further aspects of code security, identities and entitlements, attack paths, and infrastructure as code (IaC) security. In each case, the system analyzes alternate paths to remediation, calculates the shortest path that reduces the most risk with the least amount of effort, and can even execute the change automatically.

Further Enhancements

Along with Smart Fix for third-party software, Lacework is announcing several other new capabilities that reduce security friction for developers, including:

  • Application context: Enumerates every instance in which an application references a vulnerable library. Developers can observe how often the library is called and understand how the library is utilized. This gives them needed context to effectively prioritize CVEs.
  • Differential analysis: Identifies CVEs introduced by each developer as they change code and submit pull requests. This allows developers to prioritize speed in getting their code developed and through security checkpoints rather than dealing with longstanding vulnerabilities introduced by others.
  • Visual Studio (VS) Code extension: Detects and alerts developers to vulnerable third-party and open-source libraries and packages as code is written. Developers can proactively address security risks directly within their integrated development environment (IDE) and avoid delays caused by discovering vulnerabilities during pull request (PR) submissions or code check-ins.

Across the spectrum of code security capabilities, these tools provide developers and engineering teams with a new, more efficient path to saving time and developing secure code with efficiency.



Source link