Backslash Security today added support for C, C++, Ruby, Rust and Scala along with integrations with on-premises instances of DevOps platforms from GitHub and GitLab to its application security platform.
In addition, DevSecOps teams can now discover “phantom packages” not defined or controlled by the original application developer. The Backslash Security platform detects these phantom packages in open-source software code, even if they are not declared in manifest files, to identify vulnerable transitive packages.
A revamped user interface makes it simpler to understand which vulnerabilities are in use and therefore exploitable within their codebase.
DevSecOps teams can create workflows that automatically generate tickets and notifications for Jira, Monday.com, ServiceNow, Slack and Microsoft Teams.
Finally, Backslash is adding support for role-based access controls to make its platform more secure.
Amit Bismut, head of product management for Backslash Security said support for these programming languages will extend the reach of a platform designed to replace legacy static application security tools (SAST) and software composition analysis (SCA) tools with a single integrated application security platform that manages secrets, generates software bill of materials (SBOMs) and is integrated with the Vulnerability Exploitability Exchange (VEX).
The overall goal is to eliminate the number of false positives generated that increase the level of cognitive load on developers by providing DevSecOps teams with an application security platform that makes it simpler to identify and prioritize remediation efforts, he added. That approach eliminates the flood of alerts that developers are inundated with when organizations, instead of shifting responsibility left toward developers, simply “load left,” said Bismut.
Backslash Security previously supported Golang, Java, JavaScript and Python in addition to providing integrations with cloud services from GitHub, GitLab and Microsoft.
Adding support for additional programming languages and on-premises platforms will make it simpler for DevSecOps teams to consistently manage application security across hybrid IT environments made of different classes of applications that all have multiple dependencies, said Bismut.
Most application developers today still have little to no cybersecurity expertise. Many organizations are attempting to shift responsibility for application security left toward developers, but without the right tools at their disposal, it’s not likely they will succeed. It’s still fairly common for a relatively simple SQL injection attack to be successfully used to compromise an application environment, noted Bismut.
The Backslash platform makes it simpler for developers to understand how workflows in their code could be exploited, instead of relying on cybersecurity professionals to discover vulnerabilities that might not be present in a production environment, he added.
There’s no doubt cybercriminals will continue to focus on exploiting weaknesses in software supply chains. The attacks may not be overly sophisticated, but given the current odds of success, the targets are too tempting to ignore. The issue organizations must come to terms with is the increasing amount of liability those security flaws represent, as governments around the world start to hold organizations more responsible for the security of the applications they deploy.
