Back
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
Apiiro Blog
ï¹¥ ASPM’s Secret Weapon: AI-Powered Code-to-Runtime Software…
Event
ASPM’s Secret Weapon: AI-Powered Code-to-Runtime Software Inventory
Published July 10 2024 ·
1 min. read
Black Hat USA 2024 was a stellar event. In addition to Apiiro’s Booth on the trade show floor, our CEO, Idan Plotnik, spoke during one of the sponsor sessions on all things Application Security, Risk, Compliance and Security Management. Watch the session here:
Here’s what Idan dove into:
Understanding, prioritizing and remediation risks in modern applications begins with knowing what you have. Despite the foundational principle of security being inventory, most organizations lack a comprehensive inventory of their software. While endpoints, servers, and cloud assets are meticulously cataloged, software assets remain elusive, creating a significant gap in application security.
Modern application risk profiles are dynamic, with numerous components changing daily across various processes, tools, and teams. Processes include the stages of the SDLC (design, develop, build, deploy and run) and Secure SDLC, such as threat modeling and penetration testing. Tools range from ticketing systems and SCM to CI/CD pipelines, API gateways, and container orchestration platforms like Kubernetes. People encompass business units and diverse teams, including product development, software engineering, AppSec, DevOps, and tech risk.
Traditional CMDBs fall short, relying on periodic self-attestation that leads to outdated and inaccurate inventories. Large enterprises face significant challenges in associating code repositories and their components with application profiles and runtime environments. This disconnect hinders compliance with standards like PCI v4, CIS, SLSA and NIST, complicates risk prioritization and remediation, and overwhelms security teams who cannot keep pace with the exponential increase in code changes.
Apiiro’s solution to this problem is the Deep Code Analysis (DCA) technology, an AI-driven, real-time code-to-runtime software inventory. DCA discovers every code component and detects material changes, while the Risk Graph connects all components and their relationships, providing a comprehensive risk assessment.
By using the DCA technology and Risk Graph, Apiiro enables developers and AppSec engineers to focus on a small subset of risky changes, proactively triggering review processes.
This approach significantly enhances AppSec efficiency, reducing mean time to remediation (MTTR) by 96% while maintaining high development velocity.