Introduction to Deepfactor

Deepfactor is a Developer Security Platform that empowers engineering teams to create secure and compliant cloud-native applications. With Deepfactor, developers can quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing, saving valuable engineering time and reducing risk. 

The Deepfactor integrated approach to developer security saves time and effort integrating multiple security tools into the software development life cycle (SDLC) pipeline. Deepfactor offers:

  1. Software Bill of Materials (SBOM)
  2. Software Composition Analysis (SCA) including dependency scans and container image scans
  3. Runtime security analysis for observing running containers & applications
  4. Dynamic Application Security Testing (DAST)
  5. Compliance Reporting including SOC 2 Type 2, PCI DSS, and NIST 800-53
  6. Correlation between runtime analysis, SBOM, SCA and other modules

Software Bill of Materials (SBOM)

Deepfactor provides a comprehensive SBOM solution to customers. Deepfactor’s SBOM solution includes the following:

  1. Static SBOM
    The static SBOM includes a collection of dependencies, packages in container images as well as licensing information (GPL etc..).

  2. Dynamic SBOM
    The Dynamic SBOM, which is unique to Deepfactor, includes runtime information such as processes, ports, outbound network connections and other information gathered while observing the applications as they are running.

  3. Grouping of containers based on application
    When containers are launched in Kubernetes or other platforms, Deepfactor automatically correlates and groups containers into applications, providing rich context around how the inventory of containers is organized within the enterprise.

  4. SBOM info automatically tied to versions of containers
    Deepfactor automatically catalogs the SBOM based on the version number of an application/container image.

  5. Download to preferred format
    Deepfactor enables the user to simply select the version of a container/app and download the SBOM into their preferred formats.

Software Composition Analysis (SCA) including dependency scans and container image scans


What does Deepfactor’s SCA module do?
Deepfactor performs a scan of dependencies and container images and compares them with over a dozen publicly available vulnerability databases (such as the NIST Vulnerability Database). In addition, Deepfactor provides CVE and related information regarding the dependencies. In addition to the included vulnerability databases, Deepfactor offers integrations with popular 3rd party SCA tools, such as Synopsys BlackDuck.

How does Deepfactor improve traditional SCA with correlation between runtime analysis?
Whenever available, Deepfactor’s correlation engine determines whether the vulnerable dependencies and packages are used during the application runtime, and overlays this usage information on top of the vulnerability findings to prioritize alerts. Combining static SCA findings with runtime usage information is unique to Deepfactor, and it greatly helps reduce alert fatigue.

Example:
As an example, while traditional SCA tools might say that your container image A has 200 vulnerabilities, Deepfactor is able to give you a much deeper analysis, and will tell you - your application was started in kubernetes namespace N, loaded 7 containers, they have 500 vulnerabilities, 25 of them are higher priority because they were observed to be used by your application when it ran in your dev, test and prod environments.

Runtime Security Analysis

What are the benefits of observing running applications & containers?
While the SCA can help identify known vulnerabilities, applications often exhibit insecure behaviors that haven’t yet been publicly recognized nor are available as known CVEs. These risks typically manifest as high risk behaviors in process, memory, file, and network exhibited by your application code and 3rd party code.

Runtime analysis is highly useful in both dev/test and production environments. During dev and test, it can help uncover risky behaviors in the application code or dependencies, and when fixed, can improve the security posture of the applications when they are deployed in production. Runtime analysis, if implemented in production environments, can help uncover indicators of compromise, by pinpointing suspicious file, network and memory behaviors.

How does Deepfactor’s runtime analysis work?
Deepfactor’s runtime analysis module can be enabled in two ways -
(a) For Kubernetes applications, by using an admission webhook
(b) For docker containers or traditional non-containerized applications, by using a CLI tool dfctl.

When enabled, Deepfactor loads a lightweight library libdf.so,  into every thread/process/container/pod that it is enabled in, and observes over 200 parameters covering file, network, process, memory and other behaviors. Deepfactor then analyzes this telemetry data and pinpoints anomalies that can suggest indicators of risk.

Deepfactor has a robust policy engine that comes with an integrated rule set that provides engineering best practices. Out of the box policies make it extremely simple for dev, QA or security teams to get started very quickly. For organizations with deep security expertise, the Deepfactor policy engine provides the ability to customize and fine-tune the policies.

How can a developer benefit from runtime analysis?
All the alerts include detailed remediation guidance. Since Deepfactor observes the running application, it is capable of providing rich information and context with every alert such as host information, IP addresses, file name, process name and even stack traces. This rich information makes it much easier for developers to identify and remediate the issue.

How does Deepfactor runtime analysis compare with traditional container security tools?
Traditional container security tools that perform runtime analysis, require intrusive kernel mode agents to be installed on each Kubernetes host. Deepfactor requires no kernel mode or host based agents, and uses a lightweight API interception method that works in user space. Please read our whitepaper on API interception here for more details.

 

Dynamic Application Security Testing (DAST)

Deepfactor provides an integrated Dynamic Applicaton Security Testing (DAST). Deepfactor users can select a web interface or pass along an API doc such as swagger, select the depth of the scan, and Deepfactor will perform a DAST scan and detect vulnerabilities such as those contained in the OWASP Top 10 vulnerabilities.

 

Compliance Reporting  (SOC 2 Type 2, PCI DSS, NIST 800-53)

The importance of Shifting Compliance Left
While it is very important to incorporate security into engineering practices, it is also important to incorporate good hygiene with respect to identifying your application’s compliance violations during dev and test. This not only helps save time when a compliance auditor asks for help with reports for specific versions of your applications, but also avoids last minute scrambles and context-switches for your engineering teams. It’s a great complement to compliance tools like Vanta, Drata, OneTrust etc.

How does Deepfactor’s compliance module work?
Deepfactor maps security alerts from each of the four categories noted above (SBOM, SCA, DAST, Runtime) to compliance frameworks including SOC 2 Type 2, PCI DSS, and NIST 800-53. When a security alert includes one or more compliance violations, the specific sections of each compliance violation are provided for reference. This enables the engineering/security teams to understand and prioritize the alert based on both its security risk and its risk of violating a compliance framework.

Example: Report of SOC2 violations/risks for an application/container
With Deepfactor, in order to share the list of SOC2 violations/risks for a specific version of an application/container with your compliance auditor, the engineering lead can simply login to Deepfactor, select the version of their application/container, and download the list of alerts that will impact SOC2 for that container image/application and share.

What aspects of compliance does Deepfactor help with?
Compliance controls typically  encompass infrastructure, authorization & access, and applications. It’s important to note that Deepfactor reports compliance violations related to specific controls that belong to application vulnerabilities only. You will still need to complement this with other compliance controls necessary for your specific compliance framework

 

Correlation between runtime analysis, SCA, SBOM and other modules

What does the Deepfactor correlation engine do?
One of the most powerful elements of the Deepfactor platform is its correlation engine. The ability to analyze running applications and scan static containers are both useful individually. However, correlating between runtime analysis and static analysis can greatly help provide rich context to developers, reduce tool fatigue, and prioritize insights to reduce alert fatigue.

What are some clear examples of how the Deepfactor correlation engine can help improve my DevSecOps?

  1. Correlation between SCA & runtime analysis:
    Overlaying runtime use of libraries or dependencies on top of the full  list of CVEs present in dependencies/OS packages, can help prioritize which vulnerabilities to fix, based on actual runtime use.

  2. Correlation between SBOM & runtime analysis:
    Correlating static SBOM (full list of dependencies & OS packages) with runtime artifcats like listening ports, processes, outbound connections etc, can turn an SBOM into a dynamic SBOM. This can help better understand supply chain risks.
    Correlating SBOM with runtime information around which containers were launched by an application/in a Kubernetes namespace/with a set of labels/tags, can help group containers into applications. This can help automatically organize the inventory of containers into logical groups/teams, that is otherwise extremely hard/manual.

  3. Correlation between compliance and SCA
    Highlight the vulnerabilities in a dependency conveys the security risk in that dependency. Overlaying compliance risk on top of that by highlighting which section of SOC2 Type2 standard, that particular vulnerability or its duration of resolution, might impact, can give a much more holistic view to engineering leadership.

How does Deepfactor work?

The Deepfactor solution includes two components:

Deepfactor Runtime 

Available as CLI or Kubernetes webhook, the runtime scans container images and observes running applications, containers and kubernetes clusters, and sends telemetry data to the portal.

Without requiring host based agents or sidecars, the Deepfactor language-agnostic library loads into only the processes being observed within a container/pod, and collects the relevant telemetry in the user-space of the operating system. It’s lightweight, but yet semantically gathers richer data, and sends the data to the portal.

Deepfactor Portal

The portal analyzes the raw telemetry provided by the Deepfactor runtime and generates security insights for developers. Deepfactor identifies anomalies and security risks based on a robust customizable ruleset. It also enriches the data with evidence information such as CVE numbers, wherever possible, using third-party databases of known vulnerabilities. The Deepfactor portal can then be integrated with ticketing systems (Jira) to create tickets for developers to fix, messaging systems (Slack) to alert developers of a new vulnerability, and security dashboards to keep the application and product security teams updated that the current status of builds as they move through development and testing.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.