SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
DerScanner introduces Supply Chain Security to protect third-party code elements
Fri, 1st Dec 2023

DerScanner, a solution for application security testing, has added a new function that allows users to verify third-party elements in their application code. The open-source software supply chain attack incidents have trebled within a year, demonstrating an escalating cyber threat trend. Alarming statistics of third-party components, constituting roughly 80% of an average application's code volume, position these components as a significant cybersecurity concern.

To combat such threats, the advanced DerScanner introduces Supply Chain Security. This feature ensures each open-source package that a developer may incorporate into their applications is previously validated, bolstering confidence in third-party elements. The increase in cyberattacks recently underscores this feature's necessity.

The added Supply Chain Security assures a comprehensive and reliable measure of security. Each package is given a reputation score, evaluated by an AI-powered engine based on several criteria. These factors constitute the author's credibility, the package's popularity, the frequency of updates, the timeliness of security fixes, the novelty of the package, and the community verification degree of pull requests.

There are growing vulnerabilities as the sophistication of the third-party components increases, providing potential unauthorized access to entire applications. Hackers often clone popular libraries, publishing them with similar names while embedding malicious code in these seemingly harmless duplicates. A single outdated or unpatched package in a large-scale project can unintentionally open doors to cyber threats. The newly added Supply Chain Security offers an improved defence mechanism, enhancing the traditional Software Composition Analysis.

Dan Chernov, CEO of DerScanner, stated that the new tool embodies the authentic spirit of open-source by guaranteeing its freedom and security. His explanation illuminates the proactive approach taken by Supply Chain Security as it alerts developers about potentially compromised packets before their integration into applications, thus preemptively protecting against potential damage.

DerScanner, the flagship product of DerSecur established in 2011, is a leading solution for identifying and addressing security vulnerabilities in both mobile and web applications. The product provides static analysis (SAST), inspecting code before it runs, and dynamic analysis (DAST), testing applications in a running state. Now, Software Composition Analysis and Supply Chain Security have been added to the suite, critical particularly for applications relying on open-source components, which enables developers to verify the safety of third-party code.

Among DerScanner's unique offerings is its ability to analyse both source and binary code, making it widely supportive with compatibility for 36 programming languages. It effectively understands polyglot applications and significantly reduces false positives through DerScanner's proprietary Fuzzy Logic Engine technology. Practical, efficient, and user-friendly, DerScanner strives to help developers maintain secure applications.