Episode #8—Deepfactor’s ‘Next-Gen AppSec’ series:
Deepfactor Software Composition Analysis (SCA): 80% Less Noise, 50% Lower Cost
Deepfactor’s VP of Engineering, Rizwan Merchant, and Director of Engineering, Vikas Wadhvani, will show you how to cut through the software composition analysis (SCA) tool noise for a very granular, prioritized view of what needs to be fixed NOW! Which vulnerabilities are not just severe, but have a high degree of exploitability, are reachable at runtime, and currently running in your production environment. Reducing the list of SCA alerts by over 80%, and saving you money compared to your current SCA tools.
In this session, they’ll walk through the following using the newest version of Deepfactor Application Security, release 3.6:
Use Deepfactor on all stages of the SDLC:
1. On the developer laptop
2. In the CI pipeline
3. In a production Kubernetes environment
On the developer laptop, use dfctl CLI on Mac/Windows to:
• Detect vulnerabilities in OSS dependencies and container images
• Detect insecure file, network or memory behaviors by scanning running docker containers
• Generate SBOMs in CycloneDX and SPDX
In the CI pipeline:
• Scan for vulnerabilities in code and containers.
• Gate builds using dfctl CLI.
In a production Kubernetes environment:
• Identify the highest risks in running Kubernetes environments by using a rich selection of filters and answer queries such as:
• • • Where do I have Log4j in my production K8s clusters that is runtime reachable, has critical CVEs, and is exploitable?
• • • Where do I have reachable, exploitable vulnerabilities in my test or production K8s clusters?
• • • Show me all container images that have CVEs with CVSS > 8, EPSS > 10%, CISA KEV (Known Exploit Vulnerability).
Robust enterprise user management capabilities:
• Group an enterprise into teams of users
• Define roles for each team member with RBAC: org admin, team admin, developer and viewer