Bitbucket integrates Arnica’s application security tools

Behavior-based application security platform Arnica has announced the integration of its application security capabilities into Bitbucket, the Atlassian-owned source-code management solution used by millions of developers. The integration makes Arnica the first pipelineless security solution to provide private security feedback to developers in real time and in-line pull request comments for Bitbucket users, according to the company. Features include hardcoded secrets mitigation and code risk security scanning.

Application development is a key business function of many modern organizations, but also something that can introduce significant security risks. Malicious web application transactions skyrocketed by 500% in the first half of 2023 compared to the same period last year as attackers shift focus to targeting application layers, according to Radware's HI 2023 Global Threat Analysis Report. Companies are under increasing pressure to ensure software is developed with the right security protocols that protect data and limit vulnerabilities. For example, the US National Cybersecurity Strategy holds software providers accountable for insecure products.

Bitbucket users can access SAST, IaC security scanning, SCA

Bitbucket users can now use static application security testing (SAST), infrastructure as code (IaC) security scanning, software composition analysis (SCA), and third-party package reputation scanning, Arnica said in a press release. Additionally, Arnica offers prioritization and product ownership to empower developers using Bitbucket within their workflows, providing users 100% coverage of their development ecosystem, real-time risk detection before the CI/CD pipeline, and automated mitigation capabilities, the firm added. Arnica's platform gives developers context about recent changes made to code via ChatOps integrations with tools like Slack and Microsoft Teams.

Arnica provides developers direct feedback when a risk is detected

"BitBucket users will have the ability to implement real-time application security scanning on push and commit. What this means is developers can develop at velocity with no friction," Nir Valtman, CEO and founder of Arnica, tells CSO. When they push code, Arnica scans for risks and provides the developer direct feedback when a risk is detected, he adds. "The application security team gets to decide when to notify versus block based on severity, effort, and business importance."

With secrets, for example, when a developer pushes a secret in a commit, they would get a Slack or Teams message alerting them to the possible secret exposure and providing the developer with a one-click "fix it for me" button, according to Valtman. "Upon clicking, Arnica automates the removal of the secret from the commit as well as the removal of that secret from git history - an otherwise very labor-intensive task."