Deepfactor 3.2 Adds SBOM and Runtime Correlation for SCA To Help Customers Improve Supply Chain Security

With the June 2023 Supply Chain Security executive order looming, Deepfactor 3.2 introduces important SCA, SBOM, and runtime security enhancements designed to help customers reduce risk, improve supply chain security, and comply with U.S. presidential Executive Order 14028.

Deepfactor Release 3.2 Overview

In addition to detecting security risks at runtime in dev and test environments, Deepfactor Developer Security 3.2 can now scan static artifacts (container images / source code) in the CI/CD pipeline to generate SBOMs, as well as detect SCA vulnerabilities. Deepfactor correlates findings from static scanning and runtime security usage information to provide developers a unified view of their applications’ security posture. This correlated data helps developers prioritize and filter alerts based on the runtime context and behavior of the vulnerable components.

For additional details on the Deepfactor Developer Security 3.2 release, please review the Release Notes in Deepfactor documentation.

Release 3.2 Highlights

	New Features	Enhancements
SBOM and SCA	Creation of SBOMs in CycloneDX and SPDX formats Static scanning of artifacts (containers and code) within the build pipeline to generate SBOMs and vulnerabilities Static scanning of container images when pods are started in K8s clusters to generate SBOMs and vulnerabilities SCA vulnerability alerts Alert when dependencies with unsupported license types (such as GPL) are added to containers/code
Runtime Enriched SCA	Correlation of findings from static scans and runtime analysis to determine used components in container images, and reduce alert fatigue for static SCA scans Read more about Deepfactor correlation capabilities.
Runtime Analysis		Performance optimization in Deepfactor runtime to reduce CPU consumption during the launch of the instrumented application container
Integrations		Deepfactor Jira integration now supports additional mandatory field types like user id and version.

 

Release 3.2 Details

Deepfactor Developer Security 3.2 introduces static scanning of artifacts, which will enable developers to find vulnerabilities in their CI/CD pipelines so they can proactively fix vulnerabilities early in dev and test. The Deepfactor scanner supports a wide range of OS distributions and programming language dependencies as specified in the Deepfactor support matrix.

Deepfactor SBOM Capabilities

Deepfactor Developer Security 3.2 now includes the ability to produce, operationalize, and consume SBOMs at scale as part of the SDLC. Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically groups multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level. The Deepfactor portal provides a searchable and filterable human-readable interface to help security teams quickly respond to zero-day vulnerabilities, developers to fix vulnerabilities, and customers to verify the supply chain security of their software. This document describes how customers can integrate Deepfactor SCA scanning in CI/CD pipelines.

And to learn more about integrating SBOMs into your CI/CD pipeline to meet the June 2023 Executive Order on security, make to to register for this upcoming webinar.

The post Deepfactor 3.2 Adds SBOM and Runtime Correlation for SCA To Help Customers Improve Supply Chain Security appeared first on Deepfactor.

*** This is a Security Bloggers Network syndicated blog from Deepfactor authored by Deepfactor. Read the original post at: https://www.deepfactor.io/deepfactor-3-2-adds-sbom-and-runtime-correlation-for-sca-to-help-customers-improve-supply-chain-security/