Workshop on SCA 2.0: Using Runtime Reachability Analysis to Prioritize SCA Vulnerabilities

With Deepfactor Instructors: Rizwan Merchant, VP of Engineering; Vikas Wadhvani, Director of Product Engineering and Kiran Kamity, Founder & CEO.

This live workshop was conducted and recorded on October 18th, 2023. If you would like to actively follow along with the workshop, you can sign up for our free 14-day trial of the Deepfactor platform. Otherwise, please enjoy the workshop information.

Picture this: Your application is composed of 12 Docker containers. Together, they have 400 packages. Your SCA scan detects 120 critical and high vulnerabilities. Your dev team doesn’t have the cycles to fix all of them in time. How do you identify which vulnerabilities truly represent higher risk?

In this hands-on workshop, introduced by Deepfactor founder & CEO, Kiran Kamity, Deepfactor’s VP of Engineering, Rizwan Merchant and our Director of Product Engineering, Vikas Wadhvani, walk you through the process of using runtime analysis to identify which vulnerable components in an application are actually loaded into memory and, therefore, represent a higher risk to your business. You’ll learn how to be a hero in your organization by helping your dev teams save time and fix a significantly smaller number of high-risk vulnerabilities!

The workshop includes:

Intro to ‘Next-gen SCA’:

  • Why traditional static SCA approaches are outdated
  • How to cut down this noise with runtime analysis
  • How ‘Runtime SCA’ can result in risk-based prioritization
  • How ‘Runtime SCA’ can help organizations approach new zero-days more maturely

Hands-on session

  • Scan sample container artifacts to obtain list of CVEs
  • Observe running applications with a simple command to identify which modules actually got loaded into memory
  • Correlating SCA scans with runtime analysis to identify the intersection between what is vulnerable, exploitable, used and reachable.
  • Review dependency scans using an example application with a vulnerable version of Log4j and identify high-risk instances of Log4j based on runtime usage and reachability.
  • Identify which classes within Log4j were actually loaded into memory
  • Review container scans using an example of the recent OpenSSL vulnerability
  • Identify high-risk instances of OpenSSL based on which shared objects within the vulnerable version of OpenSSL were loaded into memory
  • Review findings and remediation guidance
  • Receive self-directed “homework” for the morbidly curious!

Key Takeaways:

  • Receive homework to help you use Deepfactor with your own applications
  • Receive an in-depth introduction to a new AppSec tool delivered by the VP of Engineering who built it
  • You’ll learn a new way to prioritize alerts based on those that are used and address first, reducing noise