Azul has launched Azul Vulnerability Detection, a brand new SaaS product that repeatedly detects identified safety vulnerabilities that exist in Java functions.
By eliminating false positives and with no efficiency affect, Azul Vulnerability Detection is right for in-production use and addresses the growing enterprise threat round software program provide chain assaults.
In accordance with Gartner, “by 2025, 45% of organizations worldwide could have skilled assaults on their software program provide chains, a three-fold improve from 2021” (Gartner, Rising Tech: A Software program Invoice of Supplies is Crucial to Software program Provide Chain Administration, Mark Driver, September 6, 2022).
Azul’s agentless cloud service helps organizations perceive their Java software publicity to identified vulnerabilities based mostly on actual utilization in manufacturing, QA and growth. This method allows end-to-end safety throughout the software program provide chain with no efficiency penalty whereas eliminating false positives.
Vulnerabilities in third-party manufacturing code improve enterprise threat
An estimated 40% to 80% of the traces of code in software program come from third events akin to libraries, elements and SDKs. Vulnerabilities inside third-party sources, whether or not business or freely obtainable open supply, current a rising threat to all enterprises and want addressing throughout all phases of the software program provide chain.
For instance, organizations proceed to grapple with Log4Shell, a important vulnerability present in a broadly used Java-based logging element (Log4j), which the Division of Homeland Safety referred to as “probably the most severe software program vulnerabilities in historical past.”
Azul Vulnerability Detection lets organizations give attention to the place elements akin to Log4j are literally run and used as an alternative of merely current. This runtime-level visibility allows quicker remediation of vulnerabilities with much less operational overhead.
“Attackers will goal generally used open supply to seek out vulnerabilities as a result of they know their vast utilization will depart many organizations open to assault. We’ve discovered from previous vulnerabilities like Log4Shell that the problem is in quickly discovering the situations in use and shortly remediating them,” stated Melinda Marks, senior analyst, Enterprise Technique Group.
“Azul Vulnerability Detection might be useful for organizations to make use of to effectively remediate Java vulnerabilities to guard their functions.”, Marks added.
Detecting vulnerabilities in manufacturing is essential to securing software program provide chains
Azul Vulnerability Detection identifies code run utilizing granular methods inside Azul JVMs and maps in opposition to a curated Java-specific database of widespread vulnerabilities and exposures (CVEs). This produces extra correct outcomes and eliminates false positives, even for customized code and shaded elements.
Moreover, the historical past of detections is retained in order that when new CVEs are disclosed organizations can discover out when and on what programs they’ve been operating the weak variations, permitting for centered and environment friendly forensics.
Customers can entry knowledge about which elements are (or had been) current, in use and weak, by way of both the product’s API or an intuitive UI. As an agentless cloud service, Azul Vulnerability Detection avoids the efficiency penalty related to different instruments that require prospects to put in and handle a separate piece of software program akin to brokers.
“Azul Vulnerability Detection makes safety a byproduct of merely operating your Java software program,” stated Scott Sellers, Azul CEO and co-founder.
“Our new product fills a important hole in enterprises’ safety methods – detecting vulnerabilities at level of use in manufacturing, the endpoint of the software program provide chain. As a number one Java runtime supplier to the world’s most essential enterprises across the globe, Azul is uniquely positioned to enhance the vulnerability detection market by eliminating the efficiency penalties and false positives which have plagued prospects who rely solely on legacy instruments.”, Sellers continued.
Azul’s new product allows sensible observability of vulnerabilities in manufacturing
Azul Vulnerability Detection is mostly obtainable now and works with any Azul JVM, together with free Azul Zulu Builds of OpenJDK, and is suitable with all Java functions, libraries and frameworks.
Advantages embody:
- Ongoing detection at level of use in manufacturing: Constantly assesses application-level publicity to vulnerabilities in manufacturing with out the necessity for supply code. Compares code run in opposition to a Java-specific CVE database.
- Eradicate false positives and speed up remediation: Focuses scarce human remediation effort the place weak code is or has been used vs. merely current. Eliminates false positives by monitoring code executed by the Java runtime (JVM) and generates correct outcomes unattainable by conventional instruments.
- NoOps with clear efficiency allows sensible manufacturing observability: Leverages monitoring and detection inbuilt to Azul JVMs which eliminates the efficiency penalty generally seen with different software safety instruments. As an agentless resolution, eliminates administration overhead for sustaining and updating separate brokers in manufacturing.
- Detection for each Java software, library and framework: Checks all of an enterprise’s Java software program (together with frameworks akin to Spring, Hibernate, Tomcat, Quarkus, Micronaut, and infrastructure akin to Kafka, Cassandra, Elasticsearch, Spark, Hive, Hadoop and extra) — whether or not they constructed it, purchased it, or are introducing a safety regression with a current change.
- Historic traceability allows centered forensics: Historical past of element and code use is retained, serving to enterprises focus forensic efforts to find out if weak code was truly exploited previous to it being often called weak.
