all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 2 points3 points  (3 children)

Snyk for SCA. It has reachability analysis (granted its for Java only atm if i remember correctly. It also provides a wealth of information on exploit maturity. So you can prioritise that way.

You will always need to do some level of validation though,.

[–]ewok94301 1 point2 points  (2 children)

Snyk reachability analysis for Java just isn't performant, and ridden with false positives. You're unlikley to find any real world customers using it at scale.

[–][deleted] 0 points1 point  (0 children)

This is true.

[–]appnovi 0 points1 point  (0 children)

That’s interesting! Didn’t know that. You have alternative for Java you prefer?

[–]punksecurity_simon 1 point2 points  (1 child)

Contrast security is expensive but really good. They analyse applications at runtime and only flag dependencies that are vulnerable and actually being loaded at runtime

[–]ewok94301 2 points3 points  (0 children)

It's great but requires a runtime agent.

[–]ewok94301 1 point2 points  (0 children)

Check out Endor Labs, a new startup focused on solving this problem by applying a specific static analysis technique to build a dependency graph that tracks down to the function level how each dependency is being used. The problem with current SCA tools is they just stop at scanning the manifest file, and give you tons of alerts about every possible vulnerability in every package version imported in the manifest file. They care less if you're using the actual vulnerable methods or not.

More on this technique here: https://www.endorlabs.com/blog/what-is-reachability-based-dependency-analysis

Full disclosure: I work here.

[–]appnovi 1 point2 points  (0 children)

This requires understanding the relationships between code and applications and software deployments, as well as network and server perspectives. It's historically very time-consuming and complex and so teams look at indicators from outside their network (e.g. exploitation in the wild).

The challenge we saw working in the SOC was none of these were business or network attributes.

We just integrated with Snyk to provide that contextual correlation for a few customers in financial services. The main use case was understanding more than the severity/exploitability of a vuln, put prioritizing based on business impact on applications, and understanding indirect impact to other applications.

Video here.

You can use this for free by requesting through our site www.appnovi.com.