In terms of discovering vulnerabilities and ensuring compliance, it is not unusual for some organizations who internally develop their own software to face challenging situations such as the following:
A vulnerability in a library ubiquitously used across your microservices (e.g. Log4j) exposes your organization to attackers who could easily break into your systems to steal data and execute arbitrary code. Whether a specific component relies on the affected library is tribal knowledge, but there's a high chance that some of your systems handling personal and financial data rely on this library.
When building software, it is fairly common for your developers to use open source components and libraries. Despite their efforts to ensure compliance, your legal/technical teams have a hard time to keep up with the complexity of your environment and the speed at which it evolves. For example, a recent terms and conditions change in one of the open source licenses used by your teams (e.g. Elasticsearch and Kibana change from Apache v2 license to SSPL in 2021) may put your organization at risk of being forced to release its intellectual property to everyone.
One of your security scanning tools sends an alert about a DoS attack affecting a package (e.g. a XML parser) used across various of your projects. The tool's security report provides you with extensive details about the attack, its severity and list of affected projects. The information you have at hand is however only one piece of the whole puzzle to execute a mitigation plan and track its progress.
You cannot move fast if you don't have compliance 100% under control
All of the situations mentioned above reflect the struggle organizations face in terms of compliance and vulnerability management to automatically identify dependencies and associations of internally develop software (e.g. microservices) with detected vulnerabilities, underlying components and responsible teams, which consequently hinders their ability of ensuring compliance, performing impact analysis or executing a defined mitigation plan within a reasonable time frame.
How VSM can help
LeanIX VSM links software, dependencies and teams to enable engineers and architects to automate and streamline governance, and to identify and mitigate security vulnerabilities. It does it by connecting to different source systems such as security tools or CI/CD pipelines to extract details about vulnerabilities and technologies used to develop software and automatically mapping this data to a specific software component.
The transparency created by VSM allows organizations to:
- Provide guidance on governance and compliance by setting standards and identifying services and vulnerabilities that do not meet defined requirements.
- Query the VSM inventory and find out which services are affected by a security vulnerability, their dependencies on other services, and which teams are responsible for them.
As a member of a product team: Rely on VSM to help simplify your daily compliance duties.
As a product leader: Establish security & compliance as first-class citizens.
As an enterprise architect: Trust on automated discovery when it really counts.
As an engineering leader: Ensure compliance and implement data-driven mitigation actions faster.
How LeanIX mitigated log4shell within 48 hours
Read more in our Blog
Having an initial Software & Cloud Service Discovery is key to start managing compliance & vulnerabilities.
Get buy-in from Platform or InfoSec responsibles, who have an understanding of the most burning needs.
Talk to your engineers - what pain in daily compliance tasks can you address first.
Integrate with CI/CD Pipelines (Jenkins, GitHub Actions, GitLab, etc.)
VSM provides native plugins into some of the most popular CI/CD pipelines tools to capture metadata, deployment- and library-related information of a specific Software Artifact.
Integrate with Security tools (e.g. Sonarqube or Snyk)
VSM integrates with security tools to import real-time metrics and alerts from source systems and automatically maps them to a specific Software Artifact to not only assess it in terms of performance or vulnerability risks but also to analyze upstream and downstream impacts if a Software Artifact is affected.
By setting these integrations VSM provides a clear understanding about a Software Artifact and related vulnerabilities, licenses and libraries. Moreover, VSM automatically scans integrated source systems to reflect the most up-to-date state of Software Artifacts. Additionally, VSM's dashboards and insightful reports enable teams to monitor and track the progress of mitigation actions they may have taken.
Explore VSM on your own today and for free
Updated 2 months ago