We’re thrilled to announce that Gartner recognized Cycode as a Cool Vendor in the April 2022 Gartner® Cool Vendors™ in Application Security: Protection of Cloud-Native Applications.
We believe two of Cycode’s key differentiators are our ability to address the growing attack surface in modern software supply chains and our ability to make sense of the growing volume of siloed data generated by the SDLC using our Knowledge Graph.
A Rise in Software Supply Chain Attacks
2021 was a record year for software supply chain attacks, an attack type that looks to compromise the development teams, tools, and processes involved in building, packaging, and deploying applications. What’s becoming increasingly clear is that these attacks are here to stay and will continue to increase in popularity until the underlying conditions that attract attackers to them are remedied.
According to Gartner:
By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
– Gartner, Inc. How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risk. Manjunath Bhat, Dale Gardner, Mark Horvath. July 15, 2021.
We believe that there are several factors contributed to the rise of software supply chain attacks, including:
- Expanding Attack Surfaces
- Increased Ability of Attackers to move Laterally across the SDLC
- Appsec Data continues to be siloed
Expanding Attack Surface
The DevOps approach to software development has brought with it an increase in tooling, including source control management systems (SCMs), build tools, container registries, infrastructure as code tools, cloud providers and more. These tools represent an expanded attack surface.
The security of DevOps tools and infrastructure presents a challenge for AppSec teams because they are owned and implemented by engineering, configured by default for efficiency (not security), and often are proliferated across multiple engineering teams. Failure to implement consistent and effective security controls across this myriad of tooling provides attackers with an easy entry point to the SDLC.
Gartner advises that:
“Software supply chain attacks are becoming increasingly sophisticated, with malicious actors exploiting weaknesses at every stage in the software procurement, development and delivery life cycle. This includes everything from injecting malicious code into open-source packages to installing back doors in post deployment software updates.”
– Gartner, Inc. How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risk. Manjunath Bhat, Dale Gardner, Mark Horvath. July 15, 2021.
Increasing Lateral Mobility
As DevOps practices become more commonplace, the interconnected tooling and automated processes make it easier for attackers to move throughout the SDLC after initial compromise. Trends like everything as code and the rise of GitOps provide huge productivity advances for engineers, but attackers can also exploit these integrations and automations to their advantage. Once attackers have breached a single system, automated pipelines make it easy for them to move laterally across the SDLC and remain undetected for long periods of time. With everything as code, malicious actors can sweep through an entire system and do more damage with less effort. As the Codecov breach shows, one poorly configured file can expose your entire system—not to mention your customers’ systems—and cause irreparable damage.
Famed ex-Microsoft engineer Steve McConnell once remarked:
“In software, the chain isn’t as strong as its weakest link; it’s as weak as all the weak links multiplied together.”
– Software Project Survival Guide by Steve C McConnell, 1997
AppSec Continues to be Siloed
Modern software delivery pipelines create a number of silos that make security challenging. Each phase of the SDLC has its own tooling such as SCMs in the implementation phase, build tools in the testing phase, container registries in the deployment phase, and cloud providers in the runtime or maintenance phase—all of which create natural data barriers. Security is similarly segmented with Appsec tools like SAST, SCA, WAF, etc. all running in different siloes. This makes it difficult for AppSec teams to obtain a complete view of their software supply chain and its risks.
Addressing Software Supply Chain Attacks Head On
Cycode has developed a comprehensive platform to tackle the growing problem of software supply chain attacks. This platform combines many complementary techniques to overcome the obstacles application security teams face when looking to secure their software delivery pipelines. Unlike other solutions, Cycode hardens SDLC tooling, provides unparalleled visibility across the SDLC, and centralizes software supply chain security.
Harden SDLC Tooling
As DevOps toolchains become more complex, managing policies across the entire SDLC becomes more painful. Moreover, larger organizations have multiple teams using different tools; acquisitions exacerbate this problem further.
Gartner recommends that organizations:
“Harden the software delivery pipeline by configuring security controls in continuous integration/continuous delivery (CI/CD) tools, securing secrets, and signing code and container images.”
– Gartner, Inc. Gartner Cool Vendors in Application Security: Protection of Cloud-Native Applications. Dr. Jeorg Fritsch, Ravisha Chugh, Jeremy D’Hoinne, and Mark Wah, April 12, 2022
Cycode applies and enforces consistent governance and security policies across all your teams and tools. This enables customers to centrally manage governance of source control and CI/CD security policies across all their DevOps tools and infrastructure.
Provide Unparalleled Visibility Across the SDLC
Cycode breaks down the data silos inherent to AppSec by integrating with all of the tools in use by engineering teams as part of their software delivery pipelines and taking an accurate inventory of your DevOps environment. This inventory spans all tools in the SLDC and includes all of the repos that exist, the access privileges and usage patterns of users, behavioral baselines, and even the security settings of the tools themselves. Armed with a comprehensive view of a software delivery pipeline, Cycode connects the dots between the phases of the SDLC to track how entities in one phase relate to those of other phases.
In a recent Gartner Peer Insights review, one customer remarked that:
“Cycode provides quick visibility into the dark corners of the SDLC. Cycode’s Knowledge Graph provides the ability to search the “impossible” datasets of users, permissions, commits, etc. from within tools like BitBucket Workflows.”
This cross-phase view of your SDLC enables Cycode to identify things like code tampering and to understand relationships between vulnerabilities, misconfigurations, user activity, and more. It also enables Cycode to accurately assess the risk that specific security issues pose to an organization.
Centralize Software Supply Chain Security
Defending against software supply chain attacks does not rest on the use of a single security technique or technology.
In fact, Gartner has outlined at least 9 top practices that should be performed to mitigate these risks:
– Gartner, Inc. How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risk. Manjunath Bhat, Dale Gardner, Mark Horvath. July 15, 2021.
While it may be tempting for security professionals to look for specialized software vendors that provide purpose-built security solutions that address one or two of these items, that would result in a huge management overhead. Moreover, using multiple platforms to address SDLC risks exacerbates the data silo problem outlined above. Software supply chain attack surfaces are so vast and interconnected that organizations need a comprehensive solution that covers many dimensions of SDLC risk, using many complementary solutions.
In a recent blog post, Gartner remarked that:
Gartner sees consolidation as a welcome trend that should reduce complexity, cut costs and improve efficiency, leading to better overall security
– Gartner, Inc. 7 Top Trends in Cybersecurity for 2022. Susan Moore. April 13th, 2022
We believe that the platform Cycode represents the most complete software supply chain security solution available today. It provides visibility, security, and integrity across all phases of the SDLC from a single solution. Moreover, Cycode integrates with DevOps tools and infrastructure providers, hardens their security postures by implementing consistent governance, and reduces the risk of breaches with a collection of scanning engines that look for issues like hardcoded secrets, infrastructure as code misconfigurations, code leaks, and more. Cycode’s knowledge graph tracks code integrity, user activity, and events across the SDLC to prioritize risk, find anomalies, and prevent code tampering.
Read the Report
Gartner clients can view the Gartner Cool Vendors in Application Security: Protection of Cloud-Native Applications report here:
Gartner, Inc. How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risk. Manjunath Bhat, Dale Gardner, Mark Horvath. July 15, 2021.
Gartner, Inc. Gartner Cool Vendors in Application Security: Protection of Cloud-Native Applications. Dr. Jeorg Fritsch, Ravisha Chugh, Jeremy D’Hoinne, and Mark Wah, April 12, 2022
Gartner, Inc. 7 Top Trends in Cybersecurity for 2022. Susan Moore. April 13th, 2022
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
