SECURITY 101

Why Risk Scanning Needs to be Free: Don't Just Find Risks, Fix Them

Simon Wenet
Head of Growth
November 20, 2023
Simon has spent the last decade in security leading product management & growth teams at various companies focused on DNS security, DLP, and now application security.

TL; DR

Modern software supply chain security depends on precise visibility into threats. As a critical element of securing the software supply chain, we believe that risk scanning should be free, fast, and seamless for developers to implement. Automated mitigations presented in chat tools and developer IDEs ensure threats can be dealt with early and easily , even when developers lack awareness of how to resolve a particular risk.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Why risk scanning needs to be free: Don't just find risks, fix them

Scanning for software supply chain security risks is common practice today, but what happens to those risks after they are detected? Problems such as hardcoded secrets and vulnerable dependencies—especially those found in high priority assets—must be addressed as soon as they are discovered to ensure a secure software development lifecycle (SDLC).

Risk management starts with obtaining visibility into the threats you face. “Single pane of glass” scanning tools can be a good starting point, helping to find and index vulnerabilities, but risks must also be fixed promptly with minimal developer intervention (and preferably before they are ever introduced to production code). This is where visibility-focused tools fall short: They often lack remediation capabilities and can’t effectively support developers working on mitigations. With a single pane of glass to see the threats you face, but not fix them, you’re left staring through a glass barrier, unable to reach the issues it reveals. New threats that appear behind the glass aren’t directly accessible to developers, making it challenging to investigate them and apply fixes.

Just as you pay contractors to fix problems in your home, security tools should accomplish the same outcome: fixing the problem! We need a dependable end-to-end solution that secures our supply chain by identifying the threats that exist and that then mitigate those risks to maintain a secure DevSecOps environment. Moreover, risk scans should be free, thus ensuring that everyone is able to identify security issues throughout the SDLC.

The need for visibility across all software supply chain security risks

Comprehensive visibility into security risks is essential for all modern applications, and the first step is identifying the risks: You can't fix what you can't find.

Traditionally, software teams have often taken a reactive approach to security issues: Developers may be unaware of security vulnerabilities until they are reported by a customer, product manager, or security team lead. When issues are addressed haphazardly and in isolation, both developer velocity and product security are negatively impacted. 

An effective modern security strategy requires proactive risk detection capabilities. Having a holistic view with total visibility into threats facilitates more accurate risk context and prioritization. Granular visibility is also invaluable for demonstrating legal and regulatory compliance, allowing you to use historical scan data to recall the known risks at a particular point in time.

The case for free AppSec risk scanning

Many essential developer technologies are free: You don't need to pay for basic source control, backup, or compilation capabilities, for example. All these are recognized as fundamental utilities that should be accessible to all.

So when it comes to critical threat detection tools, why should it be any different? After all, they represent the minimum baseline for securing your product. While visibility is essential, the real value of risk management tools lies in their ability to manage, prioritize, and remediate new threats, not just find them. As such, tools that provide automated risk prioritization and mitigation are those you should consider paying for, not those that merely report risks for developers to manually find and fix themselves. Discovery-oriented tools – like many commercial Application Security Posture Management (ASPM) platforms – make limited (and hard earned) contributions to your product’s overall security posture, as they are dependent on developer effort or other systems to actually enact fixes for the problems they report.

Tools focused on vulnerability detection can also introduce new challenges. Individual solutions often have a specific remit within the overall security sphere, requiring reliance on multiple tools to achieve complete coverage. Not only is this time consuming; it can also distract from actually addressing detected threats.

Let’s take a look at some of the most popular open-source scanning tools as examples, that we at Arnica love:

  • Gitleaks: Finds secrets that have been hardcoded into Git repositories, files, and directories.
  • Semgrep: Performs static analysis of your source code, surfacing bugs and security problems that could occur at runtime.
  • Trivy: Spots known vulnerabilities (CVEs), insecure dependencies, and dangerous misconfigurations in container images, repositories, and cloud environments.

All three of these tools provide visibility into software supply chain risks, and each looks for a different kind of vulnerability. While each is an effective scanner in its area of focus, achieving full coverage may require running all three scanners in your pipeline, meaning added management overhead. Applying the optimal configuration, unifying reports, and ensuring that designated developers are alerted of new issues requires significant effort, which must be duplicated each time a new tool is introduced.

And again, merely gaining visibility into threats can create more problems than it solves. Alert fatigue and never-ending to-do lists have a withering effect on developers and security leads, making it harder to actively reduce your risk. As a result, too many non-actionable alerts can actually harm your security posture.

The solution: Don’t just find risks, fix them

With all the issues of visibility-oriented tools, it's clear that a new approach to security practices is needed.

Securing the software development lifecycle (SDLC) is easiest with a unified solution that not only supports a full range of scan types but also offers automated resolutions. Moreover, highly accurate, prioritized, and contextualized alerts for risks in important assets can allow you to hone in on the risks that matter most to you, enabling faster remediation:

  • Risk context: Risk context is critical for evaluating the severity of supply chain threats. A comprehensive threat management tool should provide all the information required to assess the context of each risk, so that AppSec teams don't have to waste time doing this manually and developers don’t have to waste time trying to understand the risk when it requires their intervention.
  • Automatic & custom risk prioritization: Security scanners can report hundreds or even thousands of risks, of which only a handful require immediate attention. Automated prioritization allows you to cut through the noise and quickly resolve the most urgent threats, instead of wasting time manually triaging risks. The ability to customize prioritization, based on risk tolerance and an asset’s business importance, gets you even closer to focusing on the most important actions.
  • Streamlined risk remediation: Risk scanning alone isn't enough to secure your application. Scanning tools should simplify the risk resolution process too by offering suggested remedial actions, one-click fixes, and in-context guidance for developers explaining how specific coding practices lead to security issues.
  • Automated fixes: When a suggested action is available, the solution should allow you to accept the fix and automatically apply it to your project. For example, once a secret has been detected, the tool could create a new pull request that removes it from the repository and cleans up previous history. This lets developers resolve the problem with a single click.
  • Risk-free mitigation: In a perfect world, the threat is contained once your fix has been applied; but in practice, fixes can fail or cause unforeseen side effects that are sometimes worse than the original problem. When this happens, you need to rapidly revert the change, evaluate what happened, and then make another attempt. Tools should allow you to revert mitigations just as easily as they were applied. Not only will this improve your resiliency, it also helps reduce any concerns or tensions between engineering and security teams about whether a suggested mitigation is safe to accept.

Tools that expand vulnerability scanning with automated risk prioritization, contextual guidance, and one-click fixes empower developers to efficiently identify, resolve, and learn from threats.

Why it matters: Eliminate risks without obstructing developer velocity

Risk management solutions must be non-disruptive to developers at both the scan and fix stages. Instead of forcing developers and engineers to hunt down information on risks, new findings should be reported within the platforms and tools they already use as part of their daily workflows.

One strategy is to utilize scan and mitigation tools in conjunction with ChatOps and GitOps. This enables rapid threat response workflows that are seamlessly integrated with existing developer processes. In this model, developers are alerted instantly in chat when hardcoded secrets, vulnerable packages, or code flaws are detected; they can then address the problem directly from the alert, using the tool's GitOps integration to automatically remove the risk from the repository.

In practical terms, this means bringing threat reports, critical risk alerts, and mitigation actions directly to the developer in their source coe management tools and chat applications like Slack, which are where developers spend most of their time. It is also important to use pipelineless scanning methods to ensure 100% coverage without waiting for the results of lengthy CI/CD pipelines. This reduces the time that threats can endure in your project, since they are detected (and mitigated) early on, before the pipeline runs.

The result: Full risk visibility + faster risk remediation

Don't pay for risk scanning tools that promise a "single pane of glass" but lack the ability to resolve the application security issues they detect. Essential security scans such as secrets detection, anomalous developer access analysis, and static application security testing (SAST) should all be free, fast, and actionable to support your AppSec teams and ensure problems actually get resolved.

While full visibility into threats is essential, this is only the first step in securing your SDLC. Merely being aware of risks doesn't protect your customers and assets. Implementing tooling that can actually fix issues efficiently is therefore vital.

Arnica gives you visibility into risks for free and supports manual and automated mitigations on top of this visibility. When security threats arise, such as after a developer commiting a secret, they will be immediately alerted via Slack and offered a one-click action to eradicate the secret from the repository’s history. This enables faster remediation—even for those who lack the specific knowledge about how to fix an issue—and ensures ongoing security while lowering the burden on your developers.

Find issues for free and fix risks faster with Arnica. Book your free demo today.

THE LATEST UPDATES

More from our blog

EPSS vs CVSS vs KEV for Nuanced Risk Management
EPSS vs CVSS vs KEV for Nuanced Risk Management
November 27, 2024
How to prioritize third-party package (SCA) vulnerabilities
How to prioritize third-party package (SCA) vulnerabilities
October 30, 2024
How to Evaluate a Static Application Security Testing (SAST) Solution
How to Evaluate a Static Application Security Testing (SAST) Solution
September 6, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}