Introducing Apiiro SSCS: Software supply chain security with the power of ASPM

Software supply chains are the lifeblood of modern application development.

As software teams’ reliance on third-party development systems, tools, and software increases, so does the importance of securing them. But simply detecting flaws in supply chain components like CI/CD pipelines and source control managers (SCMs) isn’t enough to adequately protect modern applications that are interconnected, complex, and constantly changing. Siloed software supply chain security (SSCS) tools provide a fragmented view of risk, lack broader application context, and are often disconnected from application security programs.

To help AppSec teams seamlessly integrate pipeline and SCM security into their AppSec programs, we’re thrilled to officially extend Apiiro’s application security posture management (ASPM) platform with native software supply chain security (SSCS).

Our holistic, interconnected approach makes SSCS a core component of ASPM, providing a single platform for both application and supply chain security, enabling customers to:

• Get complete supply chain visibility with integrated repository and pipeline inventories
• Detect, prioritize, and remediate risks across repositories and CI/CD pipelines
• Uncover toxic combinations across application and supply chain components
• Assess and enforce software supply chain governance policies

Get complete supply chain visibility with integrated repository and pipeline inventories

To secure and manage your software supply chain end-to-end, you need real-time, continuous visibility across your entire supply chain. Apiiro now natively inventories pipelines and repositories as part of our graph-based eXtended software bill of materials (XBOM) that includes connections across components, their associated risks, and how they change over time.

Apiiro provides a consolidated view of repositories that you can drill into to get insights, including:

• Top languages and frameworks used by percentage
• Active vs. inactive contributors and contributor permissions
• Whether sensitive data is being handled
• Whether it is deployed, user-facing, or internet-facing
• Encryption, authentication, and authorization frameworks in use
• Whether it is private or public
• Business impact based on types of data analyzed and factors set manually such as revenue
• Connected plugins
• Percent and velocity of risky changes
• Full risk profile
• Timeline of changes

CI/CD pipeline inventory

Apiiro also provides a complete list of identified pipelines, helping uncover shadow pipelines and surfacing important insights such as:

• Parent and checked-out repositories
• Dependencies
• Identified secrets
• Associated applications

These inventories are built directly into our Risk Graph and are queryable via our Risk Graph Explorer, providing visibility into individual entities and how they’re connected. With this comprehensive, real-time inventory of your repositories and pipelines, you can better understand your application and supply chain attack surface to uncover areas of unknown or potential risk and allocate resources appropriately.

Detect, prioritize, and remediate risks across repositories and CI/CD pipelines

Getting native insights into software supply chain risks is crucial to holistically addressing application risk. In line with CIS and SLSA best practices, Apiiro now detects supply chain security risks involving:

• Branch protection rules: Flag whether a branch allows force push or deletion and whether it has insufficient code reviewers with the ability to set the required number.
• Repository permissions: Surface inactive admins, and users with write permissions within repositories, with the ability to set how much time is deemed “inactive.”
• Pipeline misconfigurations: Detect misconfigurations that can leave pipelines vulnerable to tampering or injection.
• Pipeline dependency vulnerabilities: Surface vulnerabilities found in detected pipeline dependencies and track when they were added, discovered, removed, and resolved.

While this native context is a core tenet of our vision for ASPM, Apiiro goes beyond just detecting these supply chain security weaknesses to cut through the noise of false positives. Thanks to the depth and breadth of our ASPM platform and our multidimensional risk prioritization approach, Apiiro also assesses the likelihood and impact of a supply chain risk based on your specific application and business so you can isolate critical risk within your supply chain.

With Apiiro, you can now pinpoint and automatically prioritize CI/CD pipeline and SCM findings that pose the greatest risk to your business and spend less time triaging your backlog. Accessing actionable remediation guidance like fix suggestions, tying risks to code owners, and in-app actions to expedite remediation cycles between security and developers and improve mean time to remediation (MTTR).

Uncover chained risks across application and software supply chain components

Because Apiiro combines application and software supply chain signals in one platform, we are able to uniquely chain disparate risks—also known as toxic combinations—that, when connected, may pose a serious threat to your business.

For example, let’s say there’s a repository that contains sensitive PII data, and the pipeline used for building and deploying the application is known to have security vulnerabilities or misconfigurations, and a change is committed to a branch without minimum code reviewers. This presents a critical toxic combination that needs to be prioritized and addressed rapidly.

Exposing toxic combinations in your codebase helps identify and prioritize issues that, given their architecture and dependencies, become a severe risk that attackers may exploit to gain unauthorized access to business-critical systems or sensitive data.

Assess and enforce software supply chain governance policies

Understanding your application and supply chain attack surface, getting a consolidated and prioritized view of repository and pipeline risks, and addressing the most critical risks and toxic combinations are just the first steps of implementing a holistic SSCS strategy.

By combining SSCS with deep, code-to-cloud ASPM capabilities, Apiiro also consolidates risk assessment and governance to streamline how you safeguard your supply chain on each and every code change. With Apiiro’s extensive integration ecosystem, in-built and custom policies, and flexible workflow engine, you can easily:

• Initiate remediations via the creation of tickets assigned to relevant code owners with all relevant context and remediation guidance.
• Send notifications when abnormal activity—such as a user’s first commit to a specific repository or any repository—is detected.
• Trigger processes such as agile threat models or penetration tests when material supply chain changes such as the addition, removal, or modification of pipeline files—are detected.
• Embed developer guardrails to prevent risks from being committed or merged and govern change across codebase and pipeline.
• Maintain a least privilege best practice by removing permissions for inactive users.
• Or any combination of the above.

And to tie it all together, Apiiro provides comprehensive risk profiles, dashboards, reports, and key metrics associated with repositories and supply chains so you can get quick insight into:

• Mean time to remediation (MTTR) for supply chain risks
• Top supply chain risks
• Misconfigured and vulnerable pipelines discovered over time
• Discovered vs. closed supply chain risks
• Abnormal commits over time
• And more

What’s next

By extending our ASPM with integrated SSCS, visibility, and governance, we hope to enable our customers to strengthen their AppSec programs without having to adopt another solution.

SSCS is in a closed customer preview with expanded integrations, new features, and enhancements being rolled out continuously. To see how Apiiro can help protect your supply chain using a multidimensional risk-based approach, schedule a demo.