Azul Systems Inc. today announced the launch of Azul Vulnerability Detection, a new software-as-a-service product designed to continuously detect known security vulnerabilities in Java applications to help enterprise customers avoid risk from software supply chain attacks.
Software supply chain attacks occur when a bug or vulnerability exists in a library imported from a software component that an application depends on. Since libraries can be used by hundreds or thousands of applications by numerous enterprise customers it leaves lots of people open to potential security risks and threats.
Detecting these vulnerabilities early and fixing them before they become a problem is fundamental to staying safe in an industry where software lifecycles are becoming shorter because developers build, test and deploy code faster than before. This means accepting pre-built libraries from external third parties, both open source and closed source, that need to be updated frequently in order to keep applications running and stay ahead of the competition.
“Azul Vulnerability Detection makes security a byproduct of simply running your Java software,” said Scott Sellers, Azul chief executive and co-founder. “Our new product fills a critical gap in customers’ security strategies – detecting vulnerabilities at the point of use in production, the endpoint of the software supply chain.”
According to a report from Gartner entitled “Emerging Tech: Bill of Materials is Critical to Software Supply Chain Management,” released in September, by 2025 45% of organizations worldwide will be impacted by software supply chain attacks. This represents a three-fold increase from 2021.
An estimated 40% to 80% of the lines of code used by enterprise customers come from third parties such as libraries, components and software development kits. Vulnerabilities, bugs and other exploits can hide within any of these different sources all along the supply chain.
One big example of a longstanding, ongoing software supply chain attack that occurred in the past 12 months is Log4Shell, which affected the widely-used open-source Java-based logging component Log4j from Apache. It was recently called an “endemic vulnerability” by the U.S. Department of Homeland Security.
“Attackers will target commonly used open source to find vulnerabilities because they know their wide usage will leave many organizations open to attack,” said Melinda Marks, senior analyst at Enterprise Strategy Group. “We’ve learned from past vulnerabilities like Log4Shell that the challenge is in rapidly finding the instances in use and quickly remediating them.”
Using Vulnerability Detection, enterprise customers get ongoing threat detection and continuous assessment of code with no impact on performance. The code is run against known curated Java-specific common vulnerabilities and exposures databases to catch and reveal any potential vulnerabilities that might have been inserted along the supply chain, and sophisticated algorithms eliminate false positives.
The detection software is built to interoperate with numerous enterprise Java application software frameworks including Spring, Hibernate, Tomcat, Quarkus, Micronaut, and infrastructure such as Kafka, Cassandra, Spark, Hive, Hadoop and more.
Azul provides an agentless cloud SaaS solution that can provide monitoring and remediation capabilities based on real usage for production, testing and development environments. Using Azul’s own Java virtual machines, customers avoid performance and management issues associated with other tools and can simply view results from backend dashboards or alerts produced via application programming interfaces.
With Vulnerability Detection up and running, developer and operations teams can quickly detect and discover vulnerabilities and resolve them before they can be exploited by malicious attackers. It is capable of checking all enterprise Java software irrespective of its source, whether it was developed in-house, purchased or introduced with a recent change.