Cloudsmith this week at the KubeCon + CloudNativeCon Europe conference revealed it has added an ability to enrich packages with threat intelligence that enables DevSecOps teams to better evaluate the risk attached to downloading a software component.
Nigel Douglas, head of developer relations for Cloudsmith, said this extension to the managed service it provides for managing software artifacts makes it possible to attach data about known malware and vulnerabilities from sources such as the Open Software Security Foundation (OpenSSF) to a software package.
DevSecOps teams can also automatically evaluate a software bill of materials (SBOM) to identify and block unsafe transitive dependencies or non-compliant licenses.
The overall goal is to make it easier to create and enforce policies that prevent developers from downloading software packages that might have been compromised by a cyberattack or contain a vulnerability that could be easily exploited, noted Douglas. In fact, a Cloudsmith survey finds 44% of respondents work for organizations that have confirmed a security incident caused by a third-party dependency, with a further 39% reporting near misses.
Based on open source Open Policy Agent (OPA) software that is managed under the auspices of the Cloud Native Computing Foundation (CNCF), DevSecOps teams can, for example, automatically quarantine recently made available packages to ensure they have been vetted before being downloaded. Additionally, DevSecOps teams can now block packages that have vulnerabilities that rate highly on the Exploit Prediction Scoring System (EPSS).
When access to a software package is restricted, developers also receive custom instructions, directly in their command line interface (CLI) that provide instructions for making remediation or exception requests.
In the wake of a series of attacks on software supply chains that are becoming more common, many organizations are revisiting DevSecOps workflows to reduce risks. The issue is likely to become even more problematic as organizations rely more on AI agents to build software faster than ever, which may result in even more vulnerable code being downloaded from repositories such as GitHub.
At the same time, mandates in the European Union (EU) such as the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) are making the adoption of best DevSecOps practices a legal requirement.
Hopefully, there will come a day soon when the quality of the code being generated by AI coding tools improves to the point where vulnerabilities are no longer a major issue. In the meantime, however, DevSecOps teams are in danger of being overwhelmed as the volume of code being generated continues to exponentially increase in the age of AI.
The only way DevSecOps teams are going to be able to at least minimize application security issues is by enforcing more policies. The challenge, of course, is that application developers will complain those policies are one of the reasons they are missing application delivery times. The only difference now is there is much broader recognition of the level of risk organizations encounter when there are either no policies or, worse yet, simply ignored.