Cloud security provider Lacework announced the expansion of its platform to include code security, increasing coverage of the full application lifecycle. The new features provide Lacework customers with comprehensive visibility throughout the application development process, helping to identify and remediate security issues before deployment.

Lacework introduced new Software Structure Analysis (SCA) and Static Application Security Testing (SAST) capabilities, significantly enhancing its platform. Let’s look at each in turn.

software structure analysis

Lacework’s new SCA tools Focus on providing continuous visibility into third-party software libraries within customers’ repositories and protecting the software supply chain. The solution offers several unique and distinctive features that enhance its effectiveness in managing third-party code vulnerabilities:

Continuous visibility and tracking : Lacework provides continuous visibility into third-party software libraries used in SCA customer repositories. It includes direct and indirect dependencies, providing a comprehensive view of the software supply chain.

: Lacework provides continuous visibility into third-party software libraries used in SCA customer repositories. It includes direct and indirect dependencies, providing a comprehensive view of the software supply chain. Detailed Vulnerability Insights : Beyond basic SCA functionalities, lacework highlights specific details such as where vulnerable functions are used in the code, the frequency of their use, and identifying parties responsible for introducing and fixing vulnerabilities.

: Beyond basic SCA functionalities, lacework highlights specific details such as where vulnerable functions are used in the code, the frequency of their use, and identifying parties responsible for introducing and fixing vulnerabilities. Real Time Software Bill of Materials (SBOM) : Lacework always maintains an updated SBOM for each application. This feature is essential for understanding the components that make up software applications and managing the associated security risks.

: Lacework always maintains an updated SBOM for each application. This feature is essential for understanding the components that make up software applications and managing the associated security risks. Extends to cloud-native workloads : Lacework extends its SCA capabilities to include visibility of vulnerable packages across their entire lifecycle, from their use in source code to their activity in cloud-native workloads. This holistic approach is important for comprehensive security management.

: Lacework extends its SCA capabilities to include visibility of vulnerable packages across their entire lifecycle, from their use in source code to their activity in cloud-native workloads. This holistic approach is important for comprehensive security management. Active Vulnerability Detection (AVD) : Integration of AVD with the Lacework runtime agent, known as Code Aware Agent (CAA), allows identification of runtime package activity across various cloud workloads. This feature enhances the detection and management of vulnerabilities in real-time.

: Integration of AVD with the Lacework runtime agent, known as Code Aware Agent (CAA), allows identification of runtime package activity across various cloud workloads. This feature enhances the detection and management of vulnerabilities in real-time. Priority based on actual usage : Lacework’s SCA allows organizations to prioritize updates or removal of packages based on their actual activity. This approach helps to efficiently allocate resources to address the most critical vulnerabilities first.

: Lacework’s SCA allows organizations to prioritize updates or removal of packages based on their actual activity. This approach helps to efficiently allocate resources to address the most critical vulnerabilities first. Understanding open-source license risks : Along with security vulnerabilities, Lacework SCA also provides insight into open-source license risks, an important aspect of compliance and risk management in software development.

: Along with security vulnerabilities, Lacework SCA also provides insight into open-source license risks, an important aspect of compliance and risk management in software development. Combining Static and Runtime Analysis: The unique approach combining static program analysis with runtime insights provides a more dynamic and effective way to detect and manage vulnerabilities in software applications.

Lacework SCA lacework

These features make Lacework’s SCA a powerful tool for enterprises, providing a deeper and more actionable understanding of third-party code vulnerabilities, thereby increasing the overall security posture and compliance of their software applications.

The new SCA capabilities will help organizations maintain the latest software bill of materials (SBOM) for each application and provide continuous visibility into their software supply chain, including understanding open-source license risks.

static application security testing

Lacework’s SAST capabilities provide visibility into complex vulnerabilities in Internet-facing applications and incorporate a sophisticated analysis of call chains and control paths to identify potential security risks with low false positives and negatives.

The new SAST tool has several unique and distinct features that set it apart from traditional SAST solutions:

sophisticated analysis techniques : Lacework SAST uses advanced methods to analyze the call chains and control paths of an application. This deeper analysis helps understand the context of the code, allowing more accurate identification of potential security vulnerabilities.

: Lacework SAST uses advanced methods to analyze the call chains and control paths of an application. This deeper analysis helps understand the context of the code, allowing more accurate identification of potential security vulnerabilities. Low rates of false positives and negatives : A common problem with traditional SAST tools is high rates of false positives and false negatives. Lacework’s SAST is designed to minimize both, providing more accurate and reliable results.

: A common problem with traditional SAST tools is high rates of false positives and false negatives. Lacework’s SAST is designed to minimize both, providing more accurate and reliable results. Integration of compensation control validation : The tool can identify when developers have implemented compensating controls in code to reduce risks. This feature ensures that security analysis is more aligned with the actual security posture of the application.

: The tool can identify when developers have implemented compensating controls in code to reduce risks. This feature ensures that security analysis is more aligned with the actual security posture of the application. Customization and Configuration : Lacework allows security engineers to customize and add rules to suit the specific needs of their unique codebase. This level of configurability ensures that the device can adapt to a wide range of applications and security requirements.

: Lacework allows security engineers to customize and add rules to suit the specific needs of their unique codebase. This level of configurability ensures that the device can adapt to a wide range of applications and security requirements. Speed ​​and Scalability : Lacework SAST is designed to be fast and scalable, capable of assessing millions of lines of code in minutes. This feature is particularly beneficial for large-scale enterprise applications and rapid development environments.

: Lacework SAST is designed to be fast and scalable, capable of assessing millions of lines of code in minutes. This feature is particularly beneficial for large-scale enterprise applications and rapid development environments. Comprehensive visibility of vulnerabilities : Lacework SAST provides in-depth insight into potential vulnerabilities, especially in Internet-facing applications. It tracks the path of untrusted data to identify zero-day vulnerabilities that could lead to serious exploits such as SQL injection.

: Lacework SAST provides in-depth insight into potential vulnerabilities, especially in Internet-facing applications. It tracks the path of untrusted data to identify zero-day vulnerabilities that could lead to serious exploits such as SQL injection. advanced security posture: By integrating sophisticated analytics and accurate results, Lacework’s SAST tool improves the overall security posture of applications, enabling security teams to more effectively address vulnerabilities.

Lacework SAST lacework

These features work together to make Lacework’s SAST a robust and efficient tool for modern application security, helping organizations secure their first-party code with higher accuracy and lower operational overhead.

analyst opinion

The new code protection tools extend Lacework’s platform to cover the entire application lifecycle, enhancing its capabilities in code and cloud security. This enables enterprises to innovate and deliver secure cloud-native applications more effectively.

Lacework is not alone in providing tools for application lifecycle security – it is a crowded market. Vendors like Lacework, Snyk, Rapid7, and Palo Alto Networks, among others, provide pieces of the puzzle, but Lacework is one of the very few vendors that offers full application lifecycle security.

The newly introduced features provide Lacework customers with comprehensive visibility throughout the application development process, helping to identify and remediate security issues before deployment.

By integrating code security into its platform, Lacework unifies code and cloud security, allowing enterprises to more efficiently develop and deliver secure cloud-native applications. The ability to provide integrated cloud and application lifecycle security is a key differentiator for Lacework. We like this approach.

Disclosure: Steve McDowell is an industry analyst, and NAND Research is an industry analyst firm that engages or is involved in research, analysis, and advisory services with a number of technology companies, which may include the companies mentioned in this article. Mr. McDowell does not hold any equity positions in any companies mentioned in this article.