Deepfence revamps ThreatMapper with new scanner, runtime SBOMs

The latest version of open-source ThreatMapper includes a secret scanner to observe and report sensitive information left inadvertently in production environments, and the ability to generate runtime SBOMs to map and observe key software dependencies.

sucessfully transitioning to devsecops
Veracode

Deepfence, a security observability and protection company, is releasing ThreatMapper 1.3.0, the latest version of its open-source threat intelligence platform, with two new features — a secret-scanning tool and runtime SBOM (software bill of materials).

The latest version of the software will feature a new open-source scanning tool, SecretScanner, which can be accessed through the ThreatMapper UI and API, and will allow users to scan for and report sensitive "secrets" left inadvertently within production workloads and container images in registries.  Secrets refer to sensitive pieces of information including encryption keys, authentication tokens, and passwords. 

"As an open-source tool that can be up and running in under 30 minutes, ThreatMapper continues to evolve by and for developers and DevSecOps," says Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates.

Finding and securing secrets before bad actors do is essential to prevent unauthorized access to enterprise keys that unlock access to databases and other critical infrastructure. 

"The principle of 'least privilege' applies where a container only has the keys that are absolutely necessary and a process to remotely revoke those keys when they are no longer needed, and regularly rotate (update) them," Steffen says. "Unfortunately, there are many cases where these secrets are included in code for reasons of expediency and ease of use, but also lead to significant security vulnerabilities."

SecretScanner looks for vulnerabilities during runtime

SecretScanner will follow a community-driven ruleset that will be updated regularly by a team at DeepFence. In addition to performing shift-left scanning during development, the company aims to scan for vulnerabilities in the runtime of production environments as well. The shift-left concept refers to businesses bringing processes such as scanning for vulnerabilities closer to the development cycle, in order to effect a faster and more efficient resolution. 

According to Steffen, not many developers particularly look for a secret scanner solution, thinking that it may add complexity to their roles. However, business executives, security professionals, and risk managers do constantly look for such security tools that can perform tasks without significant interruption of release and development cycles. 

"Scanning for vulnerabilities on the left is not enough and we need an open, community-driven solution that scans on the right and utilizes runtime context so devsecops teams can find attack pathways and seal them off in a timely fashion under intense time pressure," says Sandeep Lahane, founder and CEO of Deepfence. "The market is ready to move on from the Sisyphean task of vulnerability management to using runtime context for prioritization and rapid remediation."

Runtime SBOMs for containers and hosts

ThreatMaper 1.3.0 will also feature the ability for organizations to enumerate a SBOM at runtime. This is achieved by adding a runtime context for code, compute, and cloud data — in addition to live network traffic data — to map a holistic picture of the production environments. 

A runtime SBOM is a live list of components and dependencies for software that will track new packages, processes, and activities happening within a business' infrastructure and report any behavioral deviations to alert for vulnerabilities and attacks. 

"SBOMs have emerged as an essential part of the documentation that supports each software product release or update, which means the added runtime SBOM capabilities within ThreatMapper are valuable improvements in order to quickly identify potentially vulnerable instances if a security issue is disclosed," Steffen says. 

ThreatMapper has two major ways of generating SBOMs. The first is as a part of CI/CD (continuous integration and continuous delivery/deployment) scans for container images. Second is the new runtime capability that will build SBOMs for running containers and hosts. A container is an all-rounded, ready-to-run software package with all the necessary executables, binary code, libraries, and configuration files for an application/software process. 

A runtime SBOM generation is a smaller and actionable subset of static SBOMs generated during CI/CD. ThreatMapper will generate runtime SBOMs by scanning running containers, virtual machines, and serverless environments like AWS Fargate in staging as well as in production environments, according to Lahane. 

Since its launch in October 2021 on Github, the open-source ThreatMapper project has gathered over 1,250 stars and 500,000 pull requests from Dockerhub. Github is an internet hosting platform for developers with distributed version control system and stars and pull requests are provisions for developers to follow and participate in a project hosted by another developer/teams.

Related:

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.