Cycode is excited to announce the launch of new GenAI capabilities in our Risk Intelligence Graph (RIG). This brings the power of natural language query to the deep insights delivered by Cycode RIG, democratizing access into risk and vulnerability data across your organization. The added power of AI further establishes Cycode as the market leader for complete Application Security Posture Management (ASPM).Â
Cycode RIG and AI
Cycode RIG with AI inside is the world’s first neural network purpose built for complete ASPM, seamlessly integrating your code, builds, vulnerabilities, teams, organizations, artifacts, developers, and your company’s extensive security knowledge through the ease of everyday natural language.Â
AI tools have become ubiquitous, but none have been focused on enhancing efficiency in every aspect of application security management until now. Cycode RIG is intimately integrated into your ASPM platform, bridging the gaps and connecting the dots across any organizational knowledge that lives between security and development.Â
It functions like a human brain, using deep context and security insights to transform the way security teams manage application security and collaborate with developers.
What Is Cycode RIG?
Cycode Risk Intelligence Graph – or RIG for short – is a powerful tool that connects and correlates alerts across your entire software development lifecycle (SDLC). It allows you to filter the noise so that you can focus on the vulnerabilities that matter the most. That is, the vulnerabilities that represent true risk to your organization.Â
With Cycode RIG, you can harness the power to automatically generate comprehensive context for each identified vulnerability, eliminating false positives and prioritizing alerts. Because the RIG allows you to see the broader organizational impact of recently discovered vulnerabilities, you instantly understand their complete exposure and can quickly react to emerging threats. Furthermore, taking action on alerts is easy because the RIG allows you to tie vulnerabilities back to their owners so they have the context they need to remediate it.
The RIG allows you to stay business impact driven. It determines which vulnerabilities are the riskiest by identifying high impact severity, risk score, and proximity to production. The depth of data delivered by the RIG allows you to identify which vulnerabilities to address first to effectively reduce risk across the enterprise.
RIG + AI Use Cases
Combining the power of the RIG with the ease and access of natural language amplifies Cycode’s already powerful capabilities. In this section, we highlight some of the common use cases in which the RIG can be used to identify critical risks. These range from secrets to software supply chain vulnerabilities to open source security and far beyond.
Secrets
We know that embedding usernames, passwords, tokens, API keys, and other secrets into code increases organizations’ security risk and has been the source of numerous headline-grabbing software supply chain attacks in recent years. Despite this, developers still commit secrets to code.Â
When you have a platform like Cycode, it’s easy to ensure that developers are scanning for secrets. Simply ask the RIG:
List all repositories that do not run secrets scans on pull requests
Once you identify which repos are not scanning for secrets, you can enable this feature to guarantee scans on all future pull requests.Â
With the RIG and AI, you can use natural language to create any number of sophisticated queries into your development and production environments. Perhaps you’re concerned that a user account has been compromised and is committing secrets to code. The following prompt allows you to scan for this:
Show me secrets committed by users without 2FA
Cycode RIG then shows the connection between users, their account settings, repositories, and hardcoded secrets. This allows you to understand whether secrets have been committed maliciously or perhaps even whether an account has been compromised.
Software Composition Analysis
Modern code bases are 80-90% open source. When a vulnerability is discovered in an open source library, it is usually publicly disclosed. This means that malicious actors have an instruction manual for how to infiltrate your application unless you are constantly patching and updating your libraries.Â
When a major vulnerability like Log4j is disclosed, time to patch is critical. With Cycode RIG, you can narrow down your scan results to identify instances of the vulnerability in production environments:
List all the instances of Log4j currently in production
By doing this, you can make sure you spin down and patch exploitable instances of a vulnerability like Log4j before your systems are compromised.Â
There are many other SCA use cases in which using the RIG gives you powerful insights into your code. For example, if you’ve successfully patched an open source vulnerability, you could use the RIG to identify other instances of that same vulnerability, including the owners of that code, to optimize and speed remediation efforts.
Software Supply Chain Security
Given the number of high profile attacks in recent years, software supply chains need to be locked down. Because software supply chains are highly interconnected and complex, identifying the gaps is not always easy.Â
The Cycode RIG allows you to glean numerous insights from your software supply chains, starting with who has access to your code:
Give me a list of all repositories and the members that have access to them
One Cycode customer found that, after using this query, more than one-third of the developers they thought had been offboarded still had access to the company’s private repositories. Cycode allowed them to fully lock down their repos and control who had access to sensitive code.
The RIG is also helpful in finding repositories that have bypassed security gates:
Find all repositories related to high business impact projects that did not enable pull request reviews in their branch protection settings
Disabled branch protection rules could indicate that something is wrong. A user committing code without the proper security gates is highly problematic. You might have a developer intentionally bypassing security protocols or you could have a compromised account. Neither of these is good.
In addition to inspecting user accounts and permissions, the RIG can identify the tools that make up your pipelines. This includes any known vulnerabilities these tools might have:
What dependencies do my CI/CD pipelines have?
List all vulnerable Jenkins plugins.
A number of high profile attacks have come in through pipeline tools. Understanding your inventory of tools and any defects they might have is an important step in locking down your pipelines.
Compliance
Compliance is always a major concern for any company that develops software. Making sure you meet these standards is both challenging and time consuming. The Cycode RIG allows you to easily build complex queries using plain language. For example, you could ask:
Find any images without SLSA attestation in production
or
Show me all dependencies with non-permissive licenses for organization xyz
Cycode then does all the heavy lifting. We find you exactly the data you need so that you can remediate any risk.
Cycode
These examples are just a fraction of the things you can do with the RIG powered by AI. Cycode allows you to save any of your queries. The platform also comes fully equipped with prebuilt queries that you can use for common scenarios.
Cycode is the leading Application Security Posture Management (ASPM) platform providing peace of mind to its customers. Our complete ASPM scales and standardizes developer security without slowing down the business. The ASPM platform provides unmatched visibility, risk-based prioritization, and remediation at the speed of DevOps across the entire SDLC. With Cycode, enterprises can protect their cloud-native applications ensuring the governance, compliance, and software supply chain integrity of every software release.Â
If you’re excited about the possibilities of Cycode RIG combined with AI and want to learn firsthand about how we give you the power to secure your organization, book a demo now.
Originally published: February 21, 2024