Great article James! Thanks! Minor fix, you missed a 'c', it says 'between code and loud findings'. The article says, "The UX of traversing multiple discovery sources. I found this simple switch on the vulnerability findings view to be an extremely elegant approach for navigating the different vulnerabilities. There is a massive complexity in navigating the nuances between code and loud findings, and this simple toggle is a really smart approach."
All the good points, although why are you downplaying the risk of malware in code? Abusing org repos for malicious hosting is a real risk, but also the supply chain angle of malware in the code.
I consider malware detection in the supply chain as a feature of SCA scanners like Socket and Xygeni, or researchers like Phylum who Aikido partners with, rather than a separate scanner.
From a pure feature standpoint, I agree. My concern for everyone else in this area though is the challenge of unifying those experiences across vendors - specifically the code to cloud relationship
Great article James! Thanks! Minor fix, you missed a 'c', it says 'between code and loud findings'. The article says, "The UX of traversing multiple discovery sources. I found this simple switch on the vulnerability findings view to be an extremely elegant approach for navigating the different vulnerabilities. There is a massive complexity in navigating the nuances between code and loud findings, and this simple toggle is a really smart approach."
All the good points, although why are you downplaying the risk of malware in code? Abusing org repos for malicious hosting is a real risk, but also the supply chain angle of malware in the code.
I consider malware detection in the supply chain as a feature of SCA scanners like Socket and Xygeni, or researchers like Phylum who Aikido partners with, rather than a separate scanner.
What do you think of the Snyk - Orca partnership?
I think you can get similar/same capabilities using them
https://snyk.io/news/snyk-and-orca-security-forge-strategic-partnership/
From a pure feature standpoint, I agree. My concern for everyone else in this area though is the challenge of unifying those experiences across vendors - specifically the code to cloud relationship