Navigate uncharted risk across your software supply chain with Apiiro’s Risk Graph Explorer

With the introduction of Apiiro’s Risk Graph Explorer (aka the Explorer) to Apiiro’s ASPM platform last year, our customers can now ask and answer specific questions about their applications and software supply chains—right from an easy-to-use query interface.

With the Explorer, As part of Apiiro’s Preview Program, we had the privilege of collaborating closely with our customers to pinpoint some intriguing use cases where the Explorer can help teams shed light on even the most elusive corners of application and software supply chain attack surfaces.

In this post, we’ll explore 😉 a handful of these use cases, including:

1. Identifying inactive contributors who own secrets in business-critical repositories
2. Isolating chained risks across application and software supply chain components
3. Distinguishing logging and monitoring frameworks that may expose sensitive data
4. Finding risks that may compromise PCI compliance
5. Uncovering Generative AI frameworks used in code

These are just a few examples that illuminate the power of the Explorer to surface multidimensional risk across different application layers to reduce investigative hours, better understand your application attack surface, and—with the ability to build policies directly from the Explorer queries—prevent or flag future risks.

Identifying inactive contributors who own secrets in business-critical repositories

Verifying that only the right people can access and make changes to business-critical repositories is fundamental to ensuring that your secrets (and your applications) remain secure. To do this, we use credentials and additional security measures to authenticate users and grant access to systems. Protecting active credentials is essential for maintaining the security of applications and preventing unauthorized access to sensitive information.

For instance, consider if you had a repository that contains secrets for your production environment. There is a developer who has since left the company, but for one reason or another, their credentials were never revoked. These active credentials hand over the keys to your kingdom, opening the door for malicious actors to potentially compromise your application.

With a simple Explorer query, you can identify all the contributors to this business-critical repository who are no longer active.

If this developer was also responsible for secrets in this business-critical repository, it would be a recipe for a security disaster. To pinpoint any inactive code contributors who are responsible for secrets in high business impact repositories, simply adjust this condition:

From there, you’ll be able to see all of the matched inactive contributors as well as other valuable details like their number of commits, authored pull requests, reviewed pull requests, when they’ve been active since, their last activity date, and more. This list acts as your compass and can guide your next steps in sealing these entry points into your applications, such as revoking their access, rotating secrets, and setting up alerts to monitor any suspicious activity.

Isolating chained risks across application and software supply chain components

Since Apiiro combines application and software supply chain signals in one platform, we are able to uniquely chain disparate risks—also known as toxic combinations—that, when connected, may pose a serious threat to your business. 

For example, you have a repository that contains sensitive PII data. The pipeline used for building and deploying the application is known to have security vulnerabilities or misconfigurations. Then a change is committed to a branch without minimum code reviewers. This presents a critical toxic combination that needs to be prioritized and addressed rapidly. 

You can identify these risks in your supply chain with a query in the Explorer:

Exposing toxic combinations in your codebase helps identify and prioritize issues that, given their architecture and dependencies, become a severe risk that attackers may exploit to gain unauthorized access to business-critical systems or sensitive data.  

Distinguishing logging and monitoring frameworks that may expose sensitive data 

Let’s say that you have a web application that handles credit card payments. You know that storing sensitive information may violate industry regulations and standards like PCI DSS and GDPR, and increases the risk of exposing highly confidential information. Plus, if any of these frameworks are logging sensitive data to a public-facing server, then this could pose a serious security risk—not to mention grave legal and reputational ramifications if a bad actor were to gain unauthorized access. 

Using the Explorer, you can easily identify all of the logging and monitoring frameworks in your codebase that are connected to code modules handling sensitive payment, PHI, or PII data. 

The results will show all the matching frameworks, which repositories they’re in, and call out whether or not they’re part of testing code. Revealing where you may be recording and exposing highly sensitive data allows you to prioritize and understand where you may need to create policies to ensure and enforce compliance standards. 

In fact, you can create a policy automatically right from that query! This ensures that any time a logging or monitoring framework is used in sensitive code modules in the future, you’re able to verify that the right security measures are in place.

Finding risks that may compromise PCI compliance 

If your software handles payment data, it’s critical to ensure compliance with the standards outlined in Payment Card Industry Data Security Standard (PCI DSS). To do this, you’re required to safeguard your applications through regular vulnerability assessments and timely remediation of known vulnerabilities.

Using the Explorer, you can rapidly isolate urgent risks in repositories that handle payment data so you can take the necessary steps to mitigate these risks. In this example, there’s a repository that handles critical data. You need to know if there are critical risks in this repository that were previously discovered, but not addressed. 

With the query above, you can identify repositories that handle payment data and have high severity risks with no known fixes that have been open for at least 30 days. Since these risks do not have a known fix path, you will likely need to kick off an internal process to ensure you can mitigate these risks. The results of this query help you understand where you need to take additional actions and document these steps to have on hand during PCI DSS assessments. 

Uncovering Generative AI (GenAI) frameworks used in code

While adopting GenAI offers great promise for development teams, it doesn’t come without risk. More often than not, AppSec teams don’t have complete visibility into how different teams across the organization are using GenAI, what new frameworks are being introduced, and the impact on the risk the organization carries. This meteoric attack surface expansion puts organizations at risk of data leakage, compliance violations, decreased control over sensitive data, legal issues, and more.

Apiiro now automatically identifies GenAI frameworks in your codebase and continuously detects these framework instances across your attack surface. Apiiro currently identifies numerous GenAI frameworks, including VertexAI, OpenAI, LangChain, HuggingFace, GPT4ALL, Anthropic, SageMaker, Azure ML AI.

With the Explorer, you can not only identify where GenAI is present in your code and what frameworks are being used, but you can also combine conditions to identify toxic combinations like risky combinations of GenAI usage and sensitive data and secrets tied to GenAI frameworks.

From these results, you can better understand the implications of these frameworks when it comes to securing your data, and create policies around these frameworks to help control and prevent attack surface sprawl.

Venture into your unknown application attack surface risk with the Explorer

The examples discussed in this blog post are just the tip of the iceberg when it comes to extracting novel information about your applications and software supply chains using the Explorer. Designed to help identify and prioritize risk, understand the relationships between different components, and get insights into the impact of security issues, the Explorer has the power to unravel complex security and compliance challenges.
To delve deeper into your AppSec posture with the Explorer, schedule a demo with us.