Great article James! Thanks! Minor fix, you missed a 'c', it says 'between code and loud findings'. The article says, "The UX of traversing multiple discovery sources. I found this simple switch on the vulnerability findings view to be an extremely elegant approach for navigating the different vulnerabilities. There is a massive complexity in navigating the nuances between code and loud findings, and this simple toggle is a really smart approach."
All the good points, although why are you downplaying the risk of malware in code? Abusing org repos for malicious hosting is a real risk, but also the supply chain angle of malware in the code.
I consider malware detection in the supply chain as a feature of SCA scanners like Socket and Xygeni, or researchers like Phylum who Aikido partners with, rather than a separate scanner.
We are probably talking about different things. Beyond the malicious dependencies that are tracked by SCA scanners there could be malware as part of the proper application code.
From a pure feature standpoint, I agree. My concern for everyone else in this area though is the challenge of unifying those experiences across vendors - specifically the code to cloud relationship
Great article James! Thanks! Minor fix, you missed a 'c', it says 'between code and loud findings'. The article says, "The UX of traversing multiple discovery sources. I found this simple switch on the vulnerability findings view to be an extremely elegant approach for navigating the different vulnerabilities. There is a massive complexity in navigating the nuances between code and loud findings, and this simple toggle is a really smart approach."
All the good points, although why are you downplaying the risk of malware in code? Abusing org repos for malicious hosting is a real risk, but also the supply chain angle of malware in the code.
I consider malware detection in the supply chain as a feature of SCA scanners like Socket and Xygeni, or researchers like Phylum who Aikido partners with, rather than a separate scanner.
We are probably talking about different things. Beyond the malicious dependencies that are tracked by SCA scanners there could be malware as part of the proper application code.
If I understand Wiz correctly the malware scanner wouldn't pick this up - it's using their existing malware file scanning.
What do you think of the Snyk - Orca partnership?
I think you can get similar/same capabilities using them
https://snyk.io/news/snyk-and-orca-security-forge-strategic-partnership/
From a pure feature standpoint, I agree. My concern for everyone else in this area though is the challenge of unifying those experiences across vendors - specifically the code to cloud relationship