In the relatively short time since we announced the availability of our Software Supply Chain Assurance (SSCA) module, we’ve been hard at work broadening our feature set in ways that enhance customers’ ability to decisively remediate zero-day vulnerabilities with speed, and enable them to generate and manage higher quality software bills of materials (SBOMs). In this brief product update blog, we’ll have a closer look at our set newly-released SSCA features: SBOM scoring, SBOM drift detection, and real-time remediation tracking.
Real-time Zero-day Remediation Tracking
Because modern applications and their software supply chains are an increasingly desirable target of cyber attackers, it is imperative to be ready and able to harden an application upon discovery of a zero day vulnerability before that vulnerability can be exploited. But this is a highly complicated undertaking given the complexity of modern application code bases and the myriad of dependencies within them.
To solve these challenges, Harness SSCA now features real-time remediation tracking, giving security practitioners and developers a set of powerful tools for rapidly and decisively remediating zero-day vulnerabilities– a huge advantage for mitigating security and compliance risk.
FIGURE 1: Harness SSCA Remediation Tracking
The Remediation Tracker simplifies the process of identifying vulnerable components across software deployments. By providing the component/dependency details, the tracker conducts a comprehensive scan of all artifacts. It efficiently lists down the artifacts utilizing the given component, offering a quick and accurate overview of the affected artifacts within the codebase.
The tracker goes beyond artifact enumeration to provide insights into the deployment environments impacted by the identified vulnerabilities. Once the affected artifacts are listed, the tracker offers visibility into all environments where these artifacts are deployed. This feature ensures a comprehensive understanding of the scope and reach of the vulnerabilities across various deployment environments.
Deployment Pipeline Tracing
In addition to artifact and environment details, the tracker brings transparency to the deployment pipelines associated with the identified artifacts. By attaching the environments, the tracker goes a step further to include all tied deployment pipelines used for the deployment of affected artifacts. This tracing capability allows users to navigate and take necessary actions across the entire development cycle, ensuring a holistic remediation approach.
Artifact Exclusion Mechanism
The Remediation Tracker offers a granular approach to remediation by allowing users to exclude selected artifacts from the remediation process. This mechanism ensures flexibility in the process with more control.
Deployment Status Overview
Users can easily track the overall status of remediation efforts through the tracker. It provides a clear snapshot of the number of deployments pending action and the successful deployments where remediation has been completed.
These key features collectively empower organizations to swiftly and effectively address vulnerabilities in their software supply chain, ensuring a proactive and robust approach to software supply chain security.
Analysis and Summary
The tracker provides a quick summary for a concise overview of the overall remediation progress across artifacts. This summary includes informative charts that present key metrics such as the "Mean Time to Remediate," an overview of the "Remediation Status," and a snapshot of "Pending Remediations.”
Streamlining collaboration, the tracker integrates seamlessly with Jira, enabling the creation of tickets directly from the tracker. This integration facilitates efficient communication and task management. Users can raise Jira tickets directly from the tracker, ensuring a synchronized workflow between remediation efforts and project management tools. Looking ahead, the tracker will expand its support for various project management softwares.
There is a growing necessity to have a detailed account of an application’s components and dependencies, and the Software Bill of Materials (SBOM) has become an essential element of software supply chain security. However, the wide variation in the type and completeness of information captured in a typical SBOM makes it difficult to reliably improve supply chain security and reduce risk. According to a recent IEEE study on SBOMs, only one percent of the generated SBOMs contain the NTIA “minimum elements” data for all reported components.
Given how SBOMs are commonly deficient in a variety of different ways, Harness now offers customers and users the ability to assess SBOM quality and automatically assign it an overall quality score from 1 to 10. This pays dividends for mitigating software vulnerability risks, as an SBOM can be marked as high quality, compliant, and ready to share, or it can be identified as needing improvement or further investigation on the part of DevSecOps teams. SBOM scoring is also a valuable means for software-producing organizations to determine which SBOM tools are best suited to their needs.
Harness SSCA SBOM Scoring Criteria
The evaluation criteria for scoring SBOM quality falls into these categories:
NTIA-Minimum-Elements: Assesses compliance with NTIA minimum element guidelines
Structural: Checks adherence to underlying specifications of SPDX or CycloneDX
Semantic: Evaluates the correctness of SBOM field meanings specific to their standard
Quality: Determines the overall data quality present in the SBOM
Sharing: Assesses the SBOM's readiness for sharing
Harness SSCA uses the sbomqs tool to evaluate SBOMs across the above categories and assign a score, upon generating the SBOM in the first place. Overall scores are shown alongside the SBOM within the ‘Pipeline Execution’ view, and can be expanded to show the individual score per evaluation criteria
FIGURE 2: Harness SSCA SBOM Score Report
Automated SBOM Drift Detection
As some software artifacts often change– sometimes with each successive build– it’s expected that that artifact’s SBOM changes accordingly. SBOM drift– if left unchecked– puts organizations at risk of missing newly introduced vulnerabilities or falling out of compliance with licensing and security policies.
Harness SSCA now offers users SBOM drift detection capabilities for tracking changes between successive versions of an artifact, or between the artifact’s latest version and a pre-established baseline. SSCA provides a detailed analysis highlighting the addition or removal of components and licenses, which greatly improves management and oversight of software artifacts. Customers can also create policies to manually review and approve any changes before moving to production. The SSCA module’s SBOM drift detection supports both images and code repositories.
FIGURE 3: Harness SSCA SBOM Drift Report
Software Supply Chain Assurance, the Harness Way
More and more enterprise organizations are taking a platform approach to building out their DevSecOps practices, and a big reason why customers come to Harness is the seamless integration of critical security capabilities such as Security Testing Orchestration (STO). Harness SSCA follows suit, delivering powerful OSS governance and SLSA compliance features, along with SBOM scoring, drift detection, and real-time remediation of zero-day vulnerabilities.