Azul launches a new Saas to secure software supply chain
Azul has announced Azul Vulnerability Detection, a new SaaS product that continuously detects known security vulnerabilities in Java applications.
By eliminating false positives and with no performance impact, Azul Vulnerability Detection (AVD) is ideal for in-production use. In addition, it addresses the rapidly increasing enterprise risk around software supply chain attacks.
Gartner states, "By 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
Azul's agent-less cloud service helps organisations understand their Java application exposure to known vulnerabilities based on actual usage in production, QA, and development. This approach enables true end-to-end security across the software supply chain with no performance penalty while eliminating false positives.
An estimated 40% to 80% of the lines of code in software come from third parties such as libraries, components and SDKs. Vulnerabilities within third-party sources, whether commercial or freely available open-source, present a growing risk to all enterprises and need addressing across all phases of the software supply chain.
For example, organisations continue to grapple with Log4Shell, a critical vulnerability found in a widely used Java-based logging component (Log4j), which the US Department of Homeland Security called “one of the most serious software vulnerabilities in history”.
AVD lets organisations focus on where components such as Log4j are run and used instead of merely present. This highly accurate runtime-level visibility enables faster remediation of vulnerabilities with significantly less operational overhead.
“Attackers will target commonly used open source to find vulnerabilities because they know their wide usage will leave many organisations open to attack. We’ve learned from past vulnerabilities like Log4Shell that the challenge is in rapidly finding the instances in use and quickly remediating them,” says Melinda Marks, Senior Analyst, Enterprise Strategy Group.
“AVD will be helpful for organisations to use to efficiently remediate Java vulnerabilities to protect their applications.”
AVD uniquely identifies code run using sophisticated, highly granular techniques inside Azul JVMs and maps against a curated Java-specific database of common vulnerabilities and exposures (CVEs). This produces more accurate results and eliminates false positives, even for custom code and shaded components.
Additionally, the history of detections is retained so that when new CVEs are disclosed, organisations can find out when and on what systems they have been running the vulnerable versions, allowing for focused and efficient forensics.
Users can access data about which components are (or were) present, in use and vulnerable, via either the product's API or an intuitive UI. In addition, as an agent-less cloud service, AVD avoids the performance penalty associated with other tools that require customers to install and manage a separate piece of software, such as agents.
“Azul Vulnerability Detection makes security a by-product of simply running your Java software,” says Scott Sellers, CEO and Co-founder Azul.
“Our new product fills a critical gap in enterprises’ security strategies - detecting vulnerabilities at point of use in production, the endpoint of the software supply chain. As a leading Java runtime provider to the world’s most important enterprises around the globe, Azul is uniquely positioned to augment the vulnerability detection market by eliminating the performance penalties and false positives that have plagued customers who rely solely on legacy tools.”
The latest announcement represents the newest product addition to the Azul Intelligence Cloud family.
AVD is generally available now and works with any Azul JVM, including free Azul Zulu Builds of OpenJDK, and is compatible with all Java applications, libraries and frameworks.
Some of its benefits include continuously assessing application-level exposure to vulnerabilities in production without the need for source code. It also compares code run against a Java-specific CVE database.
AVD focuses scarce human remediation effort where vulnerable code is or has been used vs. simply present. It eliminates false positives by monitoring code executed by the Java runtime (JVM) and generates accurate results unattainable by traditional tools.
AVD leverages monitoring and detection built into Azul JVMs, eliminating the performance penalty commonly seen with other application security tools. In addition, as an agent-less solution, it eliminates management overhead for maintaining and updating separate agents in production.
AVD checks an enterprise's Java software, including frameworks such as Spring, Hibernate, Tomcat, Quarkus, Micronaut, and infrastructure such as Kafka, Cassandra, Elasticsearch, Spark, Hive, Hadoop, and more.
In AVD, the history of component and code use is retained, helping enterprises focus forensic efforts to determine if vulnerable code was exploited before it being known as vulnerable.