Introduction
The modern software supply chain represents an ever-evolving threat landscape, with each package added to the manifest introducing new attack vectors. To meet industry requirements, organizations must maintain a fast-paced development process while staying up-to-date with the latest security patches. However, in practice, developers often face a large amount of security work without clear prioritization – and miss a significant portion of the attack surface altogether.
The primary issue arises from the detection and prioritization methods used by traditional Static Code Analysis (SCA) tools for vulnerabilities. These methods lack the organizational-specific context needed to make an informed scoring decision: the score, even if critical, might not actually be critical for an organization because its infrastructure works in a unique way – affecting the actual impact the vulnerability might have.
In other words, since these tools depend on a relatively naive methodology to determine a vulnerability’s risk, they end up with primarily irrelevant vulnerability scores – making determining which vulnerabilities to address first much harder.
Furthermore, they do not address many supply chain attacks, such as typosquatting, malicious code injection, CI/CD attacks, etc. This oversight misleads Application Security (AppSec) teams and developers into focusing on less critical issues, thus delaying the development process and leaving the organization vulnerable to significant attack vectors.
Myrror Security develops innovative solutions to these challenges by revolutionizing how organizations detect, prioritize and remediate their supply chain risks. Myrror’s platform ensures that AppSec and engineering teams tackle the right issues at the right time by utilizing binary-to-source analysis for every third-party package in the codebase. Unlike traditional SCA tools that assess impact using version-level detection in manifest files, Myrror uses a proprietary reachability vulnerability analysis algorithm. This algorithm identifies which vulnerabilities are actually reachable in production, thus enabling Myrror to prioritize security issues accurately.
This Platform Review will guide you through the entire Myrror user journey, from the initial SCM integration to the remediation plan generator, and provide a concise overview of the innovations Myrror Security has introduced to prevent alert fatigue, empower your organization to work more effectively and protect it from the threats of the modern software supply chain. To get a personalized demo, visit their website here.
Getting Started and Setup
Myrror is designed for easy installation on the organization’s existing source code management platform. When Myrror is connected to your SCM, a discovery process of the organization’s dependencies begins. The organization can later select specific repositories for active vulnerability and supply chain attack scanning, providing a prioritized overview of identified risks.
The Discovery Section
This section enables you to take stock of the supply chain risk associated with your codebase and determine the actual threat landscape you’re exposed to from your open-source dependencies.
The Repositories tab shows you all the issues in each monitored repository and allows you to choose which to monitor and which to ignore. This will allow you to remove some noise associated with repositories that are not in active use, will soon be deprecated, or are simply irrelevant. This tab serves as the control panel over all of your repositories. It complements the issues screen by pointing you toward your most at-risk repositories – allowing for a project- or application-level “bird’s eye” view of the threats.
The Dependencies tab aggregates every open-source dependency in your codebase and creates a graph of all the repositories in which each one is used. This key overview allows you to get a complete picture of the open-source libraries your organization relies upon. Despite the immense increase in open-source repositories in basically every software project, organizations don’t have any control over external dependencies; taking inventory of what is being used in your code is the first step to controlling what’s happening.
The Myrror Dashboard
Once the installation is complete and the user chooses the repositories to scan, the Myrror dashboard is populated with information about your repositories, their dependencies, and the issues they contain. When the user chooses to monitor additional repositories or connect more SCM sources, the dashboard is automatically updated with more information about the new codebases.
The dashboard provides high-level insights into the issues across the entire set of the organization’s codebase, including:
- Detection Status
- Issues by category
- Dependencies with Security Status
- The Riskiest Repository
- Issues per code language,
- Status of Remediation
- Out-of-data Dependencies
- And more
These charts and graphs generate a detailed and complete overview, providing organizations with clear insights into areas requiring the most work. Note the repository filter on the top right – this allows specific teams to get accurate information about their work and the repositories they are in charge of and export only the relevant data for them.
The Issues Screen
This is the core of the Myrror Security platform. Here, all your issues are prioritized and flagged according to their actual severity, reachability, and exploitability for a clear understanding of what to tackle next. Various parameters are organized into columns, offering more profound insights into each specific issue.
Among these parameters, the reachability column sets Myrror apart from traditional SCA platforms. It assesses whether the issue is actually reachable in production, which factors into the prioritization – ensuring reachable vulnerabilities can be tackled first.
But the platform doesn’t stop at prioritizing vulnerabilities according to reachability – it also considers whether this is a direct or indirect dependency, whether a fix is available to remediate the issue, and whether an exploit has been confirmed to exist in the wild. All of these parameters help the platform prioritize issues accurately and reliably.
You can see all the following pieces of information about each vulnerability:
- Severity (taking all the above factors into account)
- Origin
- Reachability
- Dependency File(s)
- Category – Vulnerability / Supply Chain Attack (see more in the Detecting Supply Chain Attacks section)
- Exploit Availability
- Fix Availability
- Dependency Relationship
- First Seen
- Original Commit
Filters (including a repository filter) are available here too, along with an option to export the table and download insights for report creation. This assists security teams in maintaining records in local storage and generating internal audit reports. These reports, emailed to the user, contain comprehensive information directly from the platform that can be shared with other team members and stakeholders.
Note that there are 3 different tabs available on this screen:
- The “All” tab contains all the issues combined, providing data insights in a single page about the overall supply chain threat landscape – including vulnerabilities and attacks.
- The “recommended” tab contains the specific issues recommended for remediation per severity and reachability – essentially your “go-to” pane when deciding what to tackle first.
- Finally, the “Low Risk” tab has issues that you can deal with at a later point in time.
Each issue also has its in-depth analysis, with insights on the impact, scope, and origin of the issues shown on one screen. This detailed overview provides external links to the CVE to learn more about it, as well as information about the affected repositories and a concrete remediation plan to ensure swift action can be taken on each issue.
The primary tabs available on this screen are:
- Details – a primary overview of the vulnerability or supply chain attack
- Affected Repositories – a list of all repositories that depend on this package, allowing you to “connect the dots” across the entire monitored codebase
- Remediation Plan – Myrror calculates the optimal path of remediation, ensuring that the smallest amount of newly-introduced vulnerabilities end up in the codebase after the remediation process is complete
- Attack Overview (see next section for more details)
Detecting Supply Chain Attacks
Keep in mind that Myrror does more than just detect vulnerabilities – it also detects various forms of supply chain attacks – including but not limited to:
- Typosquatting
- Dependency Confusion
- Malicious Code In Repo / Code Injection
- CI/CD Attack
When it detects those attacks, the detection mechanism and remediation plan might not be as straightforward as normal vulnerabilities. In those cases, Myrror will show a more in-depth analysis of the attack, enabling practitioners to grasp the situation and pinpoint the concrete link in the chain that’s at fault. See below for an example of Myrror’s analysis of a code injection attack:
The Remediation Plan Generator
Planning your remediation efforts typically requires comprehending the new threats introduced during patching. In most cases, applying a patch results in a new set of vulnerabilities due to the new dependencies (and their transitive dependencies) it introduces.
For every monitored repository, Myrror simplifies the issue remediation process by automatically calculating the number of fixes available for all the issues, how many new vulnerabilities will be introduced during the remediation process, and how many issues will remain at the end.
Conclusion
AppSec teams suffer from profound alert fatigue today, driven by an overwhelming amount of security issues and a lack of clear prioritization of what to work on first. In addition, most teams are completely unaware of the supply chain attacks they are exposed to and have no clear path for detecting them or offering proper remediation.
Myrror’s Reachability-based prioritization offers a way out of vulnerability hell. At the same time, their binary-to-source analysis mechanism enables detection of more than just simple vulnerabilities – and allows you to defend against a host of supply chain attacks.
You can book a demo to learn more on their website here.
https://thehackernews.com/2024/02/hands-on-review-myrror-security-code.html