PALO ALTO, CA / ACCESSWIRE August 10, 2022 / Business innovation relies on speed and agility to engage customers in new ways though their software applications and digital business models. However, the hard work that businesses invest in these applications can tragically backfire when attacks to their internal software development processes and systems result in applications with embedded security vulnerabilities and backdoors that are passed directly on to their customers.
The challenge of securing internal software factories from cyber criminals has fundamentally changed in a few short years. In the recent past, organizations would focus primarily on the secure consumption of open source libraries and third-party software components that go into their finished product. Today, the exposed attack surface targeted by cyber criminals is much larger to include underlying code repositories, build processes, systems, tools, and development teams. These risks are very real, as witnessed by Solarwinds, Codecov, and dozens of other highly damaging and publicized attacks. In fact, government and industry sources estimate that software supply chain attacks will increase at a rate 3-6X over the next few years.
Legit Security released a cyber-security product earlier this year to address this growing threat with an automated solution. The company takes a unique approach that starts with automated discovery and security analysis of all the systems, infrastructure, pipelines, code and teams used to create software within an organization. Most organizations lack a detailed inventory of their internal systems and processes that their developers use to store, build and deploy their software. The widespread adoption of DevOps, which embodies frequent software releases that pass through many different systems and collaborators in the software development lifecycle, complicates the matter further by increasing the rate of change and complexity of these environments.
The Legit Security solution builds on the foundation of automated discovery and adds a library of security policies curated from industry best practices and their internal security research team to identify security issues across the software supply chain in real time. Once implemented, the platform runs continuously in the background to keep software releases tamper free and safe, even as the code, development pipelines and underlying systems continuously change and adjust with business needs.
"With Legit Security, we're now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast," said Bob Durfee, Head of DevSecOps at Takeda Pharmaceutical Company.
The company's security solution also offers operational benefits at a time when cost-savings are top of mind for security and development leaders. One costly burden for an increasing number of organizations is the ability to comply with a new wave of regulations that include software supply chain security requirements. These regulations include FedRamp, Executive Order 14028, SOC2, ISO27001, and others. In addition to initial compliance, organizations typically must submit periodic attestation reports which Legit Security is able to help automate through a security scoring feature against pre-built or custom compliance frameworks. The platform monitors adherence to regulatory requirements in real-time, and includes reporting options such as generation of a Software Bill of Materials (SBOM) which is a recent addition to several regulations.
"Legit Security's platform visualizes and analyzes our software pipelines quickly to help ensure security compliance with regulatory frameworks, as well as the unique compliance requirements of some of our large financial services partners," said Or Cohen, Principal Engineer at Melio. "Legit's solution saves us time and resources and allows us to manage risk better."
Another important movement within the IT industry is to "shift security left" or move security awareness and responsibilities upstream in the development process to software developers themselves. Legit Security helps facilitate this by allowing organizations to compare a wide range of security parameters across individual software development teams, product lines, and development pipelines. By sharing a security scoreboard and providing tangible examples of improvements to be made, fewer issues will be introduced downstream, providing both security and operational benefits and allowing security teams to better utilize the resources they have.
"Legit helps us secure our CI/CD pipelines including tracking the security posture of our different teams and workspaces, addressing SDLC configuration drifts, and helping us apply security resources where it can help us most," said Erik Bataller, VP of Security, ACV Auctions. "Legit's platform enables our developers to maintain high velocity with minimal security friction and allows us to identify risk factors and adjust accordingly."
The challenge of securing software supply chains has expanded dramatically since the Solarwinds attack in December 2020. Cyber criminals are going after the software factories that make applications so they can embed vulnerabilities that are passed on to end-users, disrupt the business operations of the software providers themselves, or steal their intellectual property. Preventing these attacks means adopting a new mindset on the scope of application security as well as new automated security approaches that can allow organizations to stay safe and remain compliant while releasing software fast.
Legit Security is a cyber security platform that provides enterprise grade software solutions intended to solve complex business problems and brings modern solutions to the application security market. Co-founders Roni Fuchs, Liav Caspi, and Lior Barak developed the platform to bring visibility and contextual information clients need to minimize risk. Legit Security also gives clients the tools they need to ensure their teams and build processes adhere to best practices.
For more information on Legit Security, please visit https://www.legitsecurity.com/, or contact:
Dex Tovin
[email protected]
SOURCE: Legit Security