Alex - stock.adobe.com

Aqua adds software supply chain security to DevSecOps mix

A new software supply chain security module for Aqua's platform correlates runtime security monitoring with pre-deployment scans as IT pros look to merge disparate tools.

Aqua Security's app protection platform now includes software supply chain security for enterprise-tier customers, as companies consolidate previously separate specialties under DevSecOps.

Tuesday's release layers premium features onto Aqua's open source Trivy tooling and ties in intellectual property the company acquired with Argon in December. It comes amid increased publicity around software supply chain attacks and new federal mandates for software supply chain security controls such as software bills of material (SBOM).

Coinciding with this trend is the multi-year transition to DevSecOps practices as part of enterprise digital transformation efforts; as the solid lines between developers, security teams and IT ops professionals continue to blur, IT buyers are also demanding tighter integration between vendor tools.

"The challenge [with DevSecOps] is you get all of these developers using different security tools, but then security still has no visibility and no way to scale what they need to do for their jobs, which is to manage risk," said Melinda Marks, an analyst at Enterprise Strategy Group, a division of TechTarget.

As a result, the last two years have seen consolidation between previously specialized software security vendors, and a broadening of specialized products into multi-purpose platforms. Aqua is a prime example of this broader evolution: The company emerged from stealth in 2016 focused on container runtime security but has since expanded into a cloud-native application protection platform (CNAPP).

CNAPP, a product category Gartner established in 2021, refers to a set of application security automation tools that "starts in development and extends to runtime protection," according to Gartner's first CNAPP market report. Other CNAPP vendors include Check Point CloudGuard, CrowdStrike Cloud Security, Lacework Polygraph, Palo Alto Networks' Prisma Cloud and Sysdig.

Aqua software supply chain security
Aqua's software supply chain security tool includes open source dependency analysis.

CNAPP links app security between dev and prod

For one IT shop that was an Argon customer prior to the Aqua acquisition, the new tie-ins between software supply chain security and runtime security are a compelling incentive to consider expanding into the broader platform.

In the moment that you have the platform telling you [which] components are vulnerable, the only thing that you need is to click on a link, and it's pointing you to the right place in the code it already scanned.
Joseph ElbazHead of application security, Tel Aviv, Grubhub

"It's going to be helpful to have a consolidated platform link between something that happened in production and -- according to the demo we saw -- [how] it was possible to execute," said Joseph Elbaz, head of application security at a Tel Aviv division of online food delivery software company Grubhub. "In the moment that you have the platform telling you [which] components are vulnerable, the only thing that you need is to click on a link, and it's pointing you to the right place in the code it already scanned."

Elbaz's team has already expanded its use of software supply chain security tools in the last 18 months. It began with Argon's static application security testing (SAST) tools and progressed to secrets detection analysis and some software composition analysis (SCA).

The latest release of software supply chain security tools under Aqua appears to have improved some of the features Elbaz's team had been using with Argon's software. For example, the tool sends fewer false positive alerts for secrets detection than in previous versions, although Elbaz also said he initially chose Argon's tool because it had the best accuracy for secrets detection among the tools he evaluated overall.

There are also many competitors for Elbaz to choose from among CNAPP tools vying to be a one-stop shop for application security. But that's where Aqua's strengths in Kubernetes and microservices app security also make it an attractive option, he said.

Elbaz's team within one of Grubhub's business units is transitioning to a Kubernetes-based microservices infrastructure for its applications. The team has been looking to modernize its runtime application security tools for that environment, where it currently uses more traditional vulnerability scanning and network security tools, Elbaz said.

"We are still in the process of shifting from standalone services to microservices, so it's becoming more and more relevant," he said.

Aqua supply chain security product details

Aqua's newest module for the enterprise edition of its Aqua Platform, dubbed the Aqua Supply Chain Solution and made generally available this week, includes code scanning based on Aqua Trivy Premium that now builds in sensitive data detection via IP acquired with Argon. Argon's pipeline security IP adds the ability to shore up the CI/CD pipeline as well as the applications that pass through it on their way to deployment, to guard against the injection of malicious code as applications are developed and tested before deployment. Similarly, Aqua's existing infrastructure-as-code scanning now includes software composition analysis on pipelines built with tools such as HashiCorp's Terraform.

The new tool also includes SBOM generation that goes beyond the basic version offered by Aqua's open source Trivy. Where Trivy can generate an SBOM for the final result of a software deployment pipeline, the Aqua Supply Chain Solution tracks and attests to the chain of custody for every artifact produced along the way through an underlying integration with Sigstore.

Aqua has not disclosed specific pricing numbers for the Supply Chain Solution or the enterprise edition of its Aqua Platform. Its most popular Advanced Platform edition, which does not list software supply chain security among its components on Aqua's website, is priced at $2,099 per month. The Supply Chain Solution is priced per code repository and varies depending on the number of repos covered, according to an Aqua spokesperson.

The Aqua Supply Chain Solution is also easier to deploy than Argon's tools were, according to Elbaz. For example, the SAST component doesn't require him to install local files if he wants to customize a policy.

There are items on Elbaz's wish list for the product, such as support for the Pulumi infrastructure-as-code tool in addition to Terraform, and the ability to customize SCA policy rules for specific code repositories. The company is investigating Pulumi support and has granular policy exceptions as a committed roadmap item, according to Aqua officials.

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on DevOps