What is Deepfactor and How Does it Work?


Speaker 1:

Deepfactor is a next-generation application security platform. It combines the power of multiple application security tools into one integrated solution. It takes a unified approach to software bill of materials, software composition analysis on the left and runtime security on the right. It marries the two together using runtime correlation that enables engineering teams to not only pinpoint the fact that they have a thousand vulnerable components in their applications and containers, but only 50 of them, for example, are actually being loaded and used at runtime, which helps engineering teams identify and fix the most important ones first, and also help them understand that there are a bunch of unused but vulnerable components in their applications that they can then work to remediate.

The way Deepfactor works is by integrating on both sides of the development pipeline. At scan time, the Deepfactor scanner, DFCTL, is used to detect vulnerabilities as well as licenses in the application, and this can be integrated as part of the CI pipeline. The same scanner can also be used to generate industry standard bill of materials in CycloneDX or SPDX formats. On the right side, Deepfactor observes running applications, running containers, as well as running Kubernetes environments seamlessly, and it performs two tasks. One, it scans for software composition analysis and container images at runtime, especially useful for those containers that are not part of your CI pipeline on the left. Number two, it drops a .so file into the containers to observe the process behaviors within the containers for bad file systems, network memory, and other behaviors that could result in potential vulnerable behaviors or insecure behaviors that may not be caught by the tools on the left, like SAST or SCA.

By observing the running applications and running containers, Deepfactor can help you uncover malicious behaviors such as if your developer accidentally brought in a third party library. That third party library is making an outbound call to a certain unauthorized or unwanted geography, or it is using Telenet when you’re not expecting it to, or it’s doing SCP to certain locations, or it’s touching certain parts of the file systems, so on and so forth. Those types of unknown vulnerabilities can be detected by observing these applications at runtime.

Next, what Deepfactor does is it correlates between the left and the right to tell you that you may have a certain number of vulnerable components in your application, but not all of them are actually being used and loaded into memory at runtime. Here it goes down to the level of classes when applicable. For example, with Log4j, it’ll tell you that you may have Log4j in seven of your nine containers, but only in two instances is Log4j actually loaded into memory and a specific vulnerable class is actually loaded in memory. This helps you narrow down and reduce the number of alerts that software composition analysis or container scans can traditionally generate, therefore empowering engineering teams to identify and fix the things that matter most. Deepfactor integrates seamlessly into the various dev and test tools so that developers can stay within their favorite tools, like using Slack or JIRA for bug reporting, and also integrate seamlessly into the CI pipelines so that the devs don’t generally have to go out their toolset to see security related information.