Rezilion today announced the general availability of a platform that allows DevOps teams to give more priority to remediation efforts by identifying which vulnerabilities are both running in memory and actually affecting a class or function. which can be performed.
Liran Tancman, Rezilion CEO, said that the biggest challenge facing DevSecOps organizations today is that most of the vulnerabilities that developers are tasked to fix do not constitute a significant threat to cybersecurity.
Rezilion has created a searchable proprietary next-generation vulnerability database (NGVDB) that specifies which issues will affect specific classes and functions. That capability allows DevOps teams to prioritize close to 95% of software vulnerabilities, Tancman says.
In addition, Rezilion’s platform will feature remediation suggestions that will reduce the amount of delay and/or cost, he said. A fully automated remediation capability, for example, will automatically upgrade and test vulnerable software components and packages within the continuous integration (CI) pipeline that are found to be exploitative. Over the longer term, Rezilion is also working on releasing remediation suggestions that can be addressed using a patching alternative, Tancman said.
Rezlion’s platform is also integrated with IT service management platforms like ServiceNow and project management tools like Jira to make it easier to address vulnerabilities as part of current workflows, he added.
Most developers today are overwhelmed by the amount of vulnerabilities that cybersecurity teams typically ask them to patch, Tancman says. The goal should be to allow developers to focus their limited time and effort on remediate vulnerabilities that are really important to ensure application security, he said.
In addition, developers need to have more confidence in the fact that the patch they are asked to make will not damage their existing applications, Tancman added.
Vulnerability prioritization is, of course, at the heart of the long-standing divide that exists between DevOps and cybersecurity professionals. Spreadsheets are regularly created filled with long lists of vulnerabilities, but there is usually no context given in terms of how serious a threat posed by any particular vulnerability is. As a result, developers will devote a small portion of their time to applying patches that are prioritized based on intuition and level of complexity rather than severity.
Naturally, developers will devote most of their time to creating new applications and features. For any DevSecOps initiative to succeed, it is important to ensure the optimal use of time allotted to remediation. Cybersecurity teams continue to compile lists of vulnerabilities, but that list can now be tested in a way that causes the least friction.
Following a series of high-profile security breaches, there is now more focus than ever before on securing software supply chains. The challenge is to find a way to better secure applications before and after deploying them in a production environment. There are always vulnerabilities that can be discovered after an application has been deployed. However, just because there is a vulnerability, that does not mean it is exploitable. The problem with today’s application security is that, all too often, remediation efforts become a waste of time.