Orca Security this week extended the reach of its cybersecurity portfolio to include an application that scans source code stored in GitHub and GitLab repositories for vulnerabilities.
Company CEO Gill Geron said the goal is to enable organizations to discover vulnerabilities long before code finds its way into a production environment using side-scanning technology that Orca Security developed to scan all GitHub and GitLab assets to identify risk hotspots, including misconfigurations.
The Orca Security Cloud uses a SideScanning approach to identify issues that makes use of read-only access to the block storage to create a risk profile. That approach eliminates the need for DevOps teams to deploy and maintain agent software to ensure cloud security. The platform then scans both workloads and cloud configuration metadata to build a map of risks that better enable DevOps teams to prioritize remediation efforts.
Extending that capability out to code repositories is critical to enable DevSecOps teams to remediate issues at the very front end of the software development lifecycle, said Geron. Far too much effort today is focused on fixing vulnerabilities after the application has been built or, worse yet after it’s been deployed. A recent Orca Security report found that 62% of organizations have severe vulnerabilities in their source code repositories, while 70% have unencrypted secrets. Those issues could be avoided if scans are run as early as possible on the source code sitting in repositories, noted Geron.
The application developed by Orca Security is designed to be deployed directly on GitHub or GitLab platforms, where it employs metadata to automatically discover all repositories to create an inventory of software assets. It then surfaces remediation instructions for every alert to streamline DevSecOps workflows.
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
It’s not clear to what degree organizations are shifting responsibility for application security further left toward developers but regardless of who is tasked with remediation, the overall process needs to be simpler. Developers today are often overwhelmed by alerts that wind up being ignored simply because there isn’t enough remediation guidance being surfaced. In other cases, the remediation might be more efficiently managed by a DevSecOps team on behalf of the developer.
Orca is Already Employing AI
Of course, there will come a day when artificial intelligence (AI) might automate vulnerability remediation. Orca Security, for example, is already employing generative AI via an alliance with OpenAI to make it easier to determine which alerts can be traced back to the same core issue.
In the meantime, however, most of the patches that need to be applied continue to be built and deployed by developers and the DevSecOps teams that support them. The challenge today is there are more vulnerabilities than there is time to remediate them, so organizations need to decide which issues to prioritize. Unfortunately, there is also a tendency to address simpler issues first regardless of how severe a vulnerability might be. The Orca Security Cloud promises to make it easier to prioritize remediation efforts based on the risk they represent to the business versus how easy they might be to fix.
This post was originally published on the 3rd party site mentioned in the title of this this site