With the June 2023 Supply Chain Security executive order looming, Deepfactor 3.2 introduces important SCA, SBOM, and runtime security enhancements designed to help customers reduce risk, improve supply chain security, and comply with U.S. presidential Executive Order 14028.
Deepfactor Release 3.2 Overview
In addition to detecting security risks at runtime in dev and test environments, Deepfactor Developer Security 3.2 can now scan static artifacts (container images / source code) in the CI/CD pipeline to generate SBOMs, as well as detect SCA vulnerabilities. Deepfactor correlates findings from static scanning and runtime security usage information to provide developers a unified view of their applications’ security posture. This correlated data helps developers prioritize and filter alerts based on the runtime context and behavior of the vulnerable components.
For additional details on the Deepfactor Developer Security 3.2 release, please review the Release Notes in Deepfactor documentation.
Release 3.2 Highlights
New Features | Enhancements | |
SBOM and SCA |
|
|
Runtime Enriched SCA |
|
|
Runtime Analysis | Performance optimization in Deepfactor runtime to reduce CPU consumption during the launch of the instrumented application container | |
Integrations | Deepfactor Jira integration now supports additional mandatory field types like user id and version. |
Release 3.2 Details
Deepfactor Developer Security 3.2 introduces static scanning of artifacts, which will enable developers to find vulnerabilities in their CI/CD pipelines so they can proactively fix vulnerabilities early in dev and test. The Deepfactor scanner supports a wide range of OS distributions and programming language dependencies as specified in the Deepfactor support matrix.
Deepfactor SBOM Capabilities
Deepfactor Developer Security 3.2 now includes the ability to produce, operationalize, and consume SBOMs at scale as part of the SDLC. Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically groups multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level. The Deepfactor portal provides a searchable and filterable human-readable interface to help security teams quickly respond to zero-day vulnerabilities, developers to fix vulnerabilities, and customers to verify the supply chain security of their software. This document describes how customers can integrate Deepfactor SCA scanning in CI/CD pipelines.
And to learn more about integrating SBOMs into your CI/CD pipeline to meet the June 2023 Executive Order on security, check out this on-demand webinar.
Frequently Asked Questions
1. What are the key enhancements introduced in Deepfactor Developer Security 3.2?
Answer: Deepfactor Developer Security 3.2 introduces important enhancements in Software Composition Analysis (SCA) and Software Bill of Materials (SBOM) capabilities. It now allows static scanning of artifacts (container images / source code) in the CI/CD pipeline to generate SBOMs and detect SCA vulnerabilities. Additionally, Deepfactor correlates findings from static scanning and runtime security usage information to provide developers with a unified view of their applications’ security posture.
2. What specific features are included in the SBOM and SCA enhancements?
Answer: The SBOM and SCA enhancements in Deepfactor Developer Security 3.2 include: Creation of SBOMs in CycloneDX and SPDX formats. Static scanning of artifacts within the build pipeline to generate SBOMs and vulnerabilities. Static scanning of container images when pods are started in Kubernetes clusters to generate SBOMs and vulnerabilities. SCA vulnerability alerts, including alerts for dependencies with unsupported license types (such as GPL).
3. How does Deepfactor correlate findings from static scans and runtime analysis?
Answer: Deepfactor correlates findings from static scans and runtime analysis to determine used components in container images, helping reduce alert fatigue for static SCA scans. This correlation provides developers with insights into the runtime context and behavior of vulnerable components, enabling them to prioritize and filter alerts effectively.
4. What improvements have been made in the runtime analysis performance?
Answer: Deepfactor Developer Security 3.2 includes performance optimization in the runtime analysis to reduce CPU consumption during the launch of the instrumented application container, enhancing overall efficiency and resource utilization.