7 Comments

Great article James! Thanks! Minor fix, you missed a 'c', it says 'between code and loud findings'. The article says, "The UX of traversing multiple discovery sources. I found this simple switch on the vulnerability findings view to be an extremely elegant approach for navigating the different vulnerabilities. There is a massive complexity in navigating the nuances between code and loud findings, and this simple toggle is a really smart approach."

Expand full comment

All the good points, although why are you downplaying the risk of malware in code? Abusing org repos for malicious hosting is a real risk, but also the supply chain angle of malware in the code.

Expand full comment

I consider malware detection in the supply chain as a feature of SCA scanners like Socket and Xygeni, or researchers like Phylum who Aikido partners with, rather than a separate scanner.

Expand full comment

We are probably talking about different things. Beyond the malicious dependencies that are tracked by SCA scanners there could be malware as part of the proper application code.

Expand full comment

If I understand Wiz correctly the malware scanner wouldn't pick this up - it's using their existing malware file scanning.

Expand full comment

What do you think of the Snyk - Orca partnership?

I think you can get similar/same capabilities using them

https://snyk.io/news/snyk-and-orca-security-forge-strategic-partnership/

Expand full comment

From a pure feature standpoint, I agree. My concern for everyone else in this area though is the challenge of unifying those experiences across vendors - specifically the code to cloud relationship

Expand full comment