Highlights –

  • ASM has been built keeping in mind that organizations cannot protect what they are unaware of.
  • ASM is an all-in-one platform that takes care of everything related to asset discovery and asset management, as well as extra security duties.

Data Theorem, the modern application security provider, announced the launch of a new product, Supply Chain Secure. The firm claims it to be the industry’s first Attack Surface Management (ASM) product, which has been designed to address software supply chain security threats across the application full stack of APIs, cloud, mobile and web services, SDKs, and open-source software. With reference to third-party vendors and suppliers, Supply Chain Secure allows customers to identify quickly and prioritize security policy violations.

Defining and defending an organization’s attack surface has become more complicated with a spike in digital transformation. Attackers use attack surface to either extract data from a system or cause damage to it. The attack is inevitable when an organization is not aware of the loopholes in the attack surface. ASM has been built keeping in mind that organizations cannot protect what they are not aware of. Hence, organizations need to follow the ASM process of continuously discovering, inventorying, classifying and monitoring their IT infrastructure.

About attack surface management

An asset discovery monitors the active and inactive assets on a network; ASM is much more than this. It’s more than asset management, which identifies the IT assets held by organizations and the possible security threats or holes that continuously influence each one.

ASM is an all-in-one platform that takes care of everything related to asset discovery and asset management, and extra security duties. This is done from the standpoint of an attacker. With ASM, enterprises will be able to shut down shadow IT assets immediately and expose databases, unknown apps, and other possible entry points to minimize any resulting vulnerabilities.

Being a modern application security provider, Data Theorem can spot third-party vulnerabilities throughout the application software stack with continuous runtime analysis and dynamic inventory discovery – all of this goes well beyond typical source code static analysis methodologies and software bill of materials (SBOMs) processing.

Big or small, no organization can escape attacks

The attack surface is a fast-growing landscape. It changes continuously, mainly because assets are distributed across the cloud today. The rise of work from home, thanks to the COVID-19 pandemic, has enlarged the number of external assets and targets that security teams must safeguard. Further, surveillance tools are being automated by attackers to investigate and assess external attack surfaces, which many security teams never fully manage to harden, as evidenced by the SolarWinds, Kaseya and Log4Shell intrusions.

These high-profile attacks have laid bare security coverage defects in standard static analysis tools, often integrated into source-code repositories and software build systems. According to Gartner, “Around 72% of business professionals expect their third-party networks to increase somewhat or greatly in the next three years.” A Gartner analysis affirmed that “by 2025, 45% of enterprises around the world will have faced attacks on their software supply chain, up threefold from 2021.”

Intentionally or unintentionally, third-party code and open-source software pose dangers. Organizations cannot be sure if the code is safe unless they do continuous monitoring. However, they may be definite about the wide-ranging consequences of security breaches in third-party APIs, cloud services, SDKs and open-source software. Hackers can gain access to computers, launch malicious attacks and steal sensitive information.

Critical approach for critical issues

A vast number of industry and competing services focus on vendor management and source-code analysis with the help of SBOM documentation. But none of these approaches caters to the basic need for continual discovery of the application complete stack introduced by embedded third-party software on a daily and weekly basis. The reason is that they do not have access to source code for mobile, web, cloud and commercial-off-the-shelf (COTS) software, as well as third-party API services.

Continuous runtime security monitoring is tough to be achieved by either of the two approaches, but Data Theorem’s Supply Chain Secure product offers a full-stack ASM solution that provides continuous third-party application asset discovery and dynamic vendor tracking.

Data Theorem’s new product can automatically group assets under known vendors, enable customers to add new vendors, organize individual assets under any vendor, and send alerts on policy violations and high-embed rates of third-party suppliers into critical applications. An added benefit is that customers can use blackbox reverse engineering and hacker toolkits to automate offensive hacking techniques and make automated penetration testing of known third-party exploits like Log4Shell, Spring4Shell, API-based BOLA attacks, and much easier. Automated capabilities make it easier and faster for vendor management teams to address supply chain security issues.

New products in the emerging ASM space have been announced by the likes of Palo Alto Networks, Synopsys, Checkmarx and Contrast Security but Data Theorem believes its new product is distinct as it is the sole vendor providing dynamic and runtime analysis of the application full stack to discover third-party assets and their respective attack surfaces. Doug Dooley, COO, Data Theorem, said, “Our award-winning Analyzer Engine, which has been performing complete stack analysis for first-party application assets, is responsible for this unique feature.”