Lacework today announced it has added tools for evaluating code security that are integrated with its cloud-native application protection platform (CNAPP).

Peter O’Hearn, director of engineering for Lacework, said the Lacework Software Composition Analysis (SCA) and Static Application Security Testing (SAST) tools will identify vulnerabilities in code along with where that insecure code is running in a production environment.

Specifically, the SCA tool provides continuous visibility into third-party software libraries and associated direct and indirect vulnerabilities, where vulnerable functions are used in the code, how often each is referenced and who was responsible for it. In addition, an always-up-to-date software bill of materials (SBOM) for every application can be generated, noted O’Hearn.

At the core of those capabilities is an extension of the Lacework runtime agent known as Code Aware Agent (CAA) that, once embedded within an application, enables code scans.

That’s critical because many of the vulnerabilities discovered in applications by a cybersecurity team might not actually be present in the production environment. Application developers working in collaboration with security teams will be able to better prioritize their remediation efforts within the context of DevSecOps workflows that reduce the total number of missed vulnerabilities. Simply throwing a list of vulnerabilities over the wall to an application development team is not especially helpful, noted O’Hearn.

The tools also provide a set of techniques to analyze an application’s call chains and control paths to determine if a developer has added vulnerable code. In addition, cybersecurity teams can customize and add rules to address the needs of a unique codebase.

As a result, cybersecurity teams can combine static analysis of code with an agentless approach to runtime analytics to create a model for each application to track the path of untrusted data.

Lacework is making a case for a CNAPP that can now be extended to secure software supply chains in addition to runtime environments. At the core of the Lacework platform is Polygraph, a self-learning engine that makes use of machine learning algorithms to surface cybersecurity issues.

It’s not clear how quickly organizations are embracing CNAPPs to streamline the management of cybersecurity. The overall goal is to reduce the number of tools required to make cybersecurity teams more efficient while simultaneously reducing costs. Extending the reach of a CNAPP into application development environments extends the reach of CNAPP in a way that helps identify issues long before a vulnerability finds its way into a production environment.

It may never be possible to eliminate every vulnerability, but the amount of time required to discover and remove them can be sharply reduced. Ultimately, that should reduce the overall level of stress currently experienced by cybersecurity teams any time, for example, when a new zero-day vulnerability is discovered.

Regardless of the approach, the one thing that is certain is that in the face of pending regulations, more attention will need to be paid to application security. The challenge is determining how best to go about improving it without unduly slowing down the pace at which applications are built and deployed.