Veracode has extended the reach of a Package Firewall that applies policies that limit what types of code can be downloaded from a repository to Azure Artifacts from Microsoft.

Additionally, DevSecOps teams can now define custom policies based on package risk profiles, vulnerability thresholds, or a specific security requirement their organization has adopted.

Tim Jarrett, vice president of product at Veracode, said in the wake of a series of attacks against software supply chains using malicious code embedded in a software package that was distributed via a repository, it’s clear DevSecOps teams now need a means to enforce policies that prevent developers from inadvertently downloading malicious code. The Package Firewall is designed to identify 40 to 50 indications of compromise, he added.

The most notable attack against software supply chains is attributable to the now infamous Shai-Hulud cyberattack that compromised node package managers (npms) used widely by JavaScript developers. The packages included a post-install script designed to harvest secrets and exfiltrate them to a GitHub repository dubbed Shai-Hulud.

The most novel aspect of that cyberattack is that if a compromised package is installed in a way that provides access to npm tokens, a worm included in the code will attempt to publish malicious versions of other packages owned by the same maintainer to create additional opportunities to compromise a software supply chain.

This type of attack makes it clear that relying on scanning code alone to secure a software supply chain is not enough because the application development environment has already been fundamentally compromised, said Jarrett.

Open source software is now so pervasively deployed that it’s not feasible to ban usage because cybercriminals have become more adept at compromising packages. Instead, organizations need to be able to apply best DevSecOps practices at the point where code from a repository is being downloaded, noted Jarrett.

Designed to be deployed in seconds, the Package Firewall in addition to supporting Azure Artifacts is also compatible with NPM, PyPI, Maven, Nexus, and Artifactory repositories, he added.

In general, adoption of DevSecOps remains uneven. A global survey conducted by the Futurum Group finds well over a third of respondents expect their organization to increase spending on software security testing (39%) and application programming interface (API) security (36%) over the next 12 to 18 months. Overall, about 35% said they also plan to make some type of investment in application security, the survey finds.

Increasingly, more DevOps teams are starting to appreciate how much the actual velocity at which software is successfully built and deployed now depends on how well security is encoded into workflows, APIs, and, ultimately, artificial intelligence (AI) agents. Guardrails are replacing gates as security policies are becoming executable, enforced continuously by pipelines, platforms, and increasingly AI agents.

Application developers, of course, need to be more cognizant about how vulnerabilities impact application development. It doesn’t take much for an investment made in DevOps tools and platforms to be negated if the quality of the code being generated only serves to increase the amount of rework that ultimately requires the application development team to start over.