“Ahead of time analysis can be compared to a ‘background check'”
Maty Siman, founder and CTO at Checkmarx spoke with us about how ahead-of-time analysis helps application security. Learn what security red flags we should look out for in open source code, how machine learning models can detect security vulnerabilities in code, and more.
JAXenter: How does ahead-of-time analysis help application security?
Maty Siman: Ahead of time analysis can be compared to a “background check” performed when hiring a new employee. This is vital with supply-chain-security, where there’s a need to collect as many data points with Open source intelligence (OSINT) ahead of time. Once a request comes to verify the “reputation score” of a contributor or of a package, the various data-points are combined to generate that score. With the reputation score, customers can choose to either use the open-source component, to take a deeper look and validate its risk-status, or look for an alternative, allowing you to make a safe and informed choice.
JAXenter: With the rise in supply chain attacks, what are some security best practices we should all be taking? What are some red flags we should be more aware of when using open source code?
Maty Siman: Open source packages are a great way to accelerate development, to contribute back to the community, and to focus only on the part of the logic the is directly impacting your business. But not all code packages are born the same. You should focus on the more popular packages, where their policy includes rigorous code-security checks and code reviews before accepting new contributions, and they update to safer dependencies where applicable. In addition, packages where their contributors have better social-profiles are preferable, as this is a sign of their trustworthiness. It is crucial to note that using “stars” as the sole metrics for the trustworthiness of a package is often misleading.
JAXenter: If many vulnerabilities in code are from human error, would it be beneficial to automate more code?
Maty Siman: There have been many attempts to make the development platforms and libraries more secure by design. However, these have had various degrees of success. The automation is done through coding, which itself is prone to security risks. Also, not everything can be automated, and there’s still a certain percentage of logic that needs to be written by a human being. Usually, these are the areas of the real IP (intellectual-property), the secret sauce that makes a specific application unique.
JAXenter: How can we use machine learning models to detect security vulnerabilities in code?
Maty Siman: Organisations cannot afford to overlook the prevalence of malicious actors seeding vulnerable code into open source packages on repositories like GitHub. In fact, recent research found that nearly a fifth of all vulnerabilities within open source software were intentionally planted backdoors. Only recently has technology begun to catch up to this emerging threat. By monitoring the behavior of known-to-be malicious package, a statistical baseline can be set and then similarly behaving packages can be effectively flagged at ease.
JAXenter: Can you tell us a little more about Dustico? How can it benefit user experiences?
Maty Siman: Dustico is a SaaS-based solution that detects malicious attacks and backdoors in open source software supply chains. Dustico’s technology is built to go beyond traditional source code vulnerability analysis and look at the behaviour and reputation of open source packages via a three-pronged approach. First, the solution factors in trust, providing visibility into the credibility of package providers and individual contributors in the open source community. Second, the health of packages is examined to determine their update cadence and level of maintenance. Finally, Dustico’s advanced behavioural analysis engine inspects packages and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans.
When developers choose to use a particular package, it is imperative that they take the safety-score into consideration. This results in a more comprehensive approach to preventing supply chain attacks.