Say Hello to Apiiro’s New Risk Graph™ Explorer

Modern applications are more complex, interconnected, and ephemeral than ever. They’re made up of countless code modules, dependencies, APIs, data models, and technologies developed across numerous languages, frameworks, and contributors, maintained, built, and deployed across multiple repositories, SCMs, CI/CD pipelines, and cloud environments. And they’re all constantly changing.

At Apiiro, we always believed that effective modern application security requires complete visibility into those complex application components, their interconnections, associated business context, risks, and changes over time. For many AppSec teams, this is way easier said than done.

That’s where our Risk Graph™ comes in. Developed over the past three years, our patented Risk Graph is the engine of Apiiro’s platform, enabling our customers to map their application attack surfaces, contextualize security alerts, correlate and prioritize risks, and remediate faster.

Today, we’re taking this a step further by introducing the first-of-its-kind Risk Graph Explorer (aka Explorer).

The Explorer is a new, easy-to-use query interface that unleashes the entirety of the Apiiro Risk Graph, empowering application security and development teams with unprecedented visibility into all application components, their relationships, and their associated risks. The Explorer provides flexibility and expressiveness that enables asking and answering even the most advanced questions about your applications and software supply chains – in just seconds and limited only by your imagination.

Apiiro’s Risk Graph™

To understand the value of the Explorer, you have to first understand the power of the underlying Risk Graph.

Apiiro’s patented Risk Graph is a constantly-updated node-edge representation of all your code modules, dependencies, user stories, APIs, data models, development environments, container images, pipelines, technologies, frameworks, contributors, and other application components. It also captures the relationships between those components and augments them with business and technical insights. The Risk Graph then layers security signals from external third-party solutions and/or Apiiro’s native security solutions.

By contextualizing those security alerts, the Risk Graph is able to correlate and deduplicate them, identify their root cause, tie them back to the code module and code owner, and enrich them with architecture, process, and business insights.

Until today this technology was leveraged internally as the engine for Apiiro’s core use cases. This is the first time we are putting the power of the Risk Graph into our customers’ hands.

Risk Graph Explorer

With a simple and comprehensive query experience, Apiiro customers can discover, query, and understand the multidimensional relationships across the different application layers, enriched with business context and overlaid with insights.

Putting the Explorer in the hands of early users impressed us with the types of questions that emerged from this. Here are few examples:

• Show me all my internet-facing APIs in a high business impact application that are part of a code module with an exploitable OSS vulnerability with a CVSS score of 7.0 or higher.
• Where do I have APIs in Java version 19 in production code that are about to be deployed to an internet-facing environment and also use an OSS package with a critical exploitable vulnerability?
• Where are all my vuln OSS dependencies in production code (i.e., not in test) with high or critical active risks that are in an application with internet-facing sensitive APIs that writes sensitive data to logs?
• Find me all the instances of a specific secret appearing across public repositories or repositories that store PII in a storage bucket.

We believe that Explorer’s flexibility and simplicity enable a deep understanding of the ins and outs of applications and software supply chains. That visibility is a game changer when it comes to answering regulatory questions, investigating the impact of a new zero-day, setting the scope for penetration testing, and broadly understanding attack surfaces and how they change over time.

The Explorer also comes with the ability to use pre-defined queries based on industry best practices, save and share queries, filter, sort, and export query results, and continue investigating findings with Apiiro.

What’s next

The Explorer supports our vision of solving legacy application security challenges by empowering security practitioners with visibility into every element of their modern applications and software supply chains. We are excited to see how our customers leverage the Explorer to identify and reduce critical risks and build smarter, more efficient application security programs.

Until now, we have built and fine-tuned our Risk Graph and Explorer hand-in-hand with our customers, and we plan to continue doing so. As always, we will be customer tuned and evolve this powerful experience based on your inputs.

We will be rolling out the Explorer in the coming months, starting with a closed customer preview. To see it in action or learn more about Apiiro’s context-driven approach to application security, schedule a demo.