Arnica’s real-time, code-risk scanning tools aim to secure supply chain

Software supply chain security provider Arnica has added new real-time scanning tools to its namesake code-security suite, including static application security testing (SAST), infrastructure as code (IaC) scanning, software composition analysis (SCA), and third-party package reputation checks.

With the enhancements, the company claims to provide a comprehensive security solution that identifies and prevents the introduction of code risks in real time using a pipeline-less approach.

“Arnica implements a pipeline-less security approach, which means that all source code repository events are evaluated as code changes are being made by developers,” said Nir Valtman, CEO and founder of Arnica. In this manner, developers can address known vulnerabilities without requiring their fixes to undergo a build and test pipeline for mitigation.

“The reason why this approach is more powerful than traditional solutions that are integrated into CI/CD pipelines, is that 100% of the repositories are monitored, and the feedback is routed directly to the developers in a blameless and shameless way,” Valtman said.

While the company’s scheduled code risk scans are available in a free plan, not limited to a number of users, the real-time scans are available with a paid business plan. Pricing for the business plan is tiered, based on features used, per user identity per month.

Legacy, disparate tools slow down development

Arnica’s attempt at consolidating code security tools is rooted in the fact that they provide siloed security workflows, which slow down development considerably.

Integrated development environment (IDE) plugins bring potential risks to light during the developer workflow, but maintaining them across different devices is challenging, and they offer restricted visibility to security teams. On the other hand, CI/CD pipeline scanners offer consolidated risk lists to security teams, but their coverage is limited and they lack the context required to identify the responsible individual for taking appropriate action.  

The lack of a comprehensive, unified systems makes it difficult to achieve complete coverage, according to Arnica.

Story Tweedie-Yates, head of product marketing at Kubernetes security company KSOC, said she appreciates Arnica’s effort at consolidating code security for various types of applications as she believes “it is very helpful to have a tool that can deal with the legacy as well as new applications all under one roof.”

“Today’s organizations most often have a mix of applications; those that are brand new and generally built with cloud-native tooling, and those that are ‘legacy’ and still run on-premises,” said Yates. “The legacy applications are more often than not custom applications, built before the time when open source started making it possible for developers to assemble applications from various open-source languages and tools. The brand-new applications are much more likely to be assembled versus customized.”

“Technologies like SAST, Dynamic AST, Interactive AST, are more important for custom applications; the legacy applications. Technologies like SCA, IaC scanning are more important for the newer applications,” Yates added.

Code risk management leverages third-party integrations

Arnica’s new offerings  — including SAST, SCA, IaC and third-party package reputation checks — are delivered as real-time code risk identification and mitigation capabilities that leverage native integrations into source code management systems and communication tools, to detect and respond to risks as and when a developer pushes code.

“Vulnerabilities are introduced as developers write code. Arnica identifies the risks when code is pushed to the source code management (SCM) system, across all source code repositories, and sends a private message directly to the author within a few seconds,” Valtman said.

Arnica’s context-based vulnerability alert is designed to enable developers to make an informed fix or dismiss the alert. All unresolved vulnerabilities are also reflected in the pull request — a code change/review alert. Companies also can create policies around the alerts, to enforce fixes and ensure that developers are cleaning up problematic code before potentially pushing out vulnerabilities.

Arnica’s integrations include source code management systems like GitHub and Azure DevOps, and communication tools like Slack and Microsoft Teams.

“The focus on real-time appears to be more so a focus on integration into the developer toolset, to help the developers iterate quickly versus having to go and fix things later. This is a great benefit for developers and their speed,” Yates said.