AppThreat is Joining the ShiftLeft Family

As a passionate DevSecOps personnel, I wanted to build a portfolio of security tools that both the DevOps and the security community would love to use. The security tools marketplace is quite messy — people are forced to use, work and integrate with security products that are unfit for the purpose — often by senior leaders who are mis-sold by the vendors.

Thus, I began my humble journey towards building a set of simple yet powerful security tools under the umbrella name AppThreat, an application threat intelligence platform.

DevOps Connect:DevSecOps @ RSAC 2022

What is App Threat?

AppThreat is an application threat intelligence platform powered by the following tools:

sast-scan: A free open-source SAST scanner that can integrate with a range of CI/CD pipelines including Azure Pipelines, GitHub actions, Google CloudBuild, CircleCI and so on. This is also the first open-source project to support SARIF file format for interoperability with commercial tools

vulnerability-db: A free open-source vulnerability database and search library built for performance

cdxgen: A free open-source Software Bill-of-Materials generation tool for several programming languages

dep-scan: A free open-source dependency and license auditing tool powered by cdxgen and vulnerability-db. This is also the first open-source project to support the grafeas format

Learnings on the way

As you might have noticed, all the core products of AppThreat are free and open source! Working on these projects exposed me to some hard realities of building security tools based on existing open-source components.

Quality of the findings

The quality of the security findings from popular OSS SAST tools varied a lot. While there are some good OSS SAST tools such as bandit and gosec, the majority were quite average and boring. While it was possible to normalize and beautify the reports externally, it is not possible to fix tools that lack a core or a solid foundation. Searching for such a core and an engine that can power the next generation of SAST products, I came across a technology called Ocular by ShiftLeft. ShiftLeft is a next-generation SAST company with a broader vision to embed security into DevOps properly, like shifting security to the left of the DevOps lifecycle. Cool!

Arc Reactor: Iron Man

When I played with a trial version of Ocular and integrated it with sast-scan, I saw a huge boost to the quality of the security findings. For Java, Ocular nearly doubled the quality (more findings with less false positives) when compared to FindSecBugs. FindSecBugs is not so bad on its own so doubling the quality metric is a remarkable achievement on its own! It is an easy decision that the OSS SAST community lacks an arc-reactor like Ocular to make an impact.

Lack of excellent quality free vulnerability database

There are two kinds of vulnerability database in the market:

  • Free feeds from NVD, GitHub, etc. that suffer from data quality issues
  • Paid commercial feeds that are often expensive and with quite restrictive licensing terms

I wrote a small comparison tool that compared identical CVE from NVD and GitHub and found that one out of five of them had an information mismatch. While GitHub had incorrect version number specification, NVD had incorrect vendor or product names! It was clear that the world is missing a free open-source vulnerability database with a good-enough quality (<2% errors). How do we fund such a database without relying on a large commercial entity such as Microsoft or Google?

Lack of innovation with dependency and container scanners

Dependency and container scanners have not evolved at all for a while now. Some scanners like my dep-scan and the famous dependency check can perform the scanning in the CI while others do it in the cloud (and charge a premium for it, duh).

My experimental integration with Ocular again gave a huge boost to the quality of dep-scan. Firstly, not every package mentioned in your package-lock.json is used by the application. By combining the dependency tree generated from the SAST tool with the vulnerability findings from dep-scan tool, I achieved another 2x-3x improvement in quality. A similar idea when applied to the container scanning concept completely blew us away.

To the future

In short, when OSS and commercial scanners integrate and work together, it is the customers and DevSecOps teams that would benefit the most. It, therefore, gives me immense pleasure to announce that AppThreat is joining the ShiftLeft family.

AppThreat would remain free and open source but gain more upgrades. AppThreat DevSecOps community would start seeing tremendous improvements in quality when we begin to integrate the brains of Ocular and other ShiftLeft tech to the OSS tools. This alliance is the beginning of a disruptive innovation that is highly needed in the security tools marketplace. I would like to thank every single contributor and supporter of AppThreat. Folks, we just got started …

AppThreat is Joining the ShiftLeft Family was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Prabhu Subramanian. Read the original post at: