Download PDF version Contact company

Aqua Security, the pioneer in cloud native security, announced it added pipeline integrity scanning to prevent software supply chain attacks and assure CI/CD pipeline integrity.

Powered by eBPF technology, Aqua’s pipeline integrity scanner detects and blocks suspicious behaviour and malware in real time, preventing code tampering and countering threats in the software build process. This industry-first solution equips organisations to feel confident in their ability to strategically stop the most aggressive software supply chain threats that produce massive attack surfaces.

Supply chain threats

With the rise of software supply chain attacks, and a constantly changing threat landscape, organisations are now being held accountable for incorporating security best practices throughout their software development lifecycles.

Software integrity validation, one of these best practices, is mentioned as one of the key requirements in major industry frameworks for supply chain security including SLSA, NIST Secure Software Development Framework and the CIS Software Supply Chain Benchmark. 

SolarWinds demonstrated the catastrophic effects of compromising the integrity of the software"

SolarWinds demonstrated the catastrophic effects of compromising the integrity of the software build process and the critical need to continuously validate software integrity,” said Amir Jerbi, CTO of Aqua Security, adding “Our new pipeline integrity scanner solves one of the industry’s most urgent needs to ensure the integrity of the modern development process and prevent this type of destructive software supply chain attack.”

Modern development process

Aqua’s pipeline integrity scanner detects suspicious behaviour or malware that characterises a supply chain attack. The capability also takes advantage of behavioural signatures produced by the Aqua Nautilus research team to detect zero-day threats based on cloud native attacks seen in the wild.

After connecting to the build pipeline, pipeline integrity scanning allows developers to:

  • Monitor the build pipeline and define a baseline for how the build operates. Teams can understand how their build pipeline runs and what is typical network activity, file access patterns and process activity in known good environments.
  • Detect any drifts from the baseline. Once the baseline is established, the scanner can detect any drift from this state and alert teams on anything unusual and anomalous (including unexpected file modification, establishing communication with a suspicious URL, usage of a dropped malicious executable) to guarantee the integrity of the build process.
  • Minimise attack vectors. Close security gaps in CI/CD pipelines by continuously scanning for pipeline drift. This allows teams to prevent the tampering of code in the earliest stages of the software build process and maintain dev tool integrity.
  • Set up assurance policies. To scale safe development practices and ensure software integrity, assurance policies can be implemented to block completion of new builds that show signs of suspicious activity. This gives developers the ability to react in the development process where it is easier to fix.

Supply chain attacks

Aqua’s pipeline integrity scanner leverages Tracee, the company’s robust open source runtime security

This is the first solution of its kind,” adds Jerbi. “Other software supply chain security tools only focus on code scanning or static analysis of build artifacts, such as a software bill of materials or SBOM. These are important but have proven insufficient to detect and stop supply chain attacks of this type.”

Aqua’s pipeline integrity scanner leverages Tracee, the company’s robust open source runtime security and forensics sensor for Linux. Thanks to its lightweight capabilities, eBPF technology can provide visibility into the build’s runtime and detect threats in real time with minimal disruption.

By detecting and stopping drift of the original build through eBPF-based scanning and policies, teams can protect their software from unauthorised access and prevent advanced supply chain attacks. 

Most comprehensive protection

Aqua is the first to introduce this dynamic capability that complements its existing shift-left capabilities including code scanning, CI/CD posture management, and next-gen SBOM to provide customers with the most comprehensive protection on the market.

Pipeline integrity scanning is part of its Software Supply Chain Security solution that secures code, all development infrastructure, and pipeline processes so that organisations can build and ship innovation faster and more securely.

Delivered by the Aqua Cloud Security Platform, a cloud native application protection platform (CNAPP), it improves operational efficiency by connecting cloud to dev and tracing runtime risks to the code and developer who can fix them.

Download PDF version Download PDF version

In case you missed it

How can the industry do a better job of promoting emerging technologies in physical security environments?
How can the industry do a better job of promoting emerging technologies in physical security environments?

By all accounts, technology development is moving at a rapid pace in today's markets, including the physical security industry. However, market uptake of the newest technologies ma...

Dahua & KITT Engineering's LED screen innovations
Dahua & KITT Engineering's LED screen innovations

About a year and a half ago, Peter de Jong introduced Dahua to Fred Koks, General Manager of KITT Engineering. Since then, Dahua, KITT Engineering, and Ocean Outdoor have complete...

Protect assets with BCD's hybrid cloud NVR solutions
Protect assets with BCD's hybrid cloud NVR solutions

Like any retail franchise, car dealerships that have multiple locations nationwide require comprehensive, reliable, and scalable video surveillance solutions to protect their busin...

Quick poll
What is the most significant challenge facing smart building security today?