Be a part of gaming leaders on-line at GamesBeat Summit Subsequent this upcoming November 9-10. Learn more about what comes next.
Let the OSS Enterprise e-newsletter information your open supply journey! Sign up here.
Deepfence, a cloud-native security observability platform utilized by corporations resembling Amyris, Flexport, and Harness, has open-sourced a software that robotically finds, maps, and ranks software vulnerabilities throughout environments.
Based in 2017, Deepfence focuses mainly on defending cloud-native workloads, spanning serverless, Kubernetes, container, and multi-cloud deployments. With Kubernetes, for instance, corporations can deploy Deepfence to investigate community visitors, file-system integrity, working processes, and extra, and it really works natively with managed Kubernetes providers together with OpenShift, Google GKE, and Amazon EKS.
Whereas Deepfence has at all times provided an enterprise edition and a neighborhood incarnation referred to as ThreatMapper, the latter of those is being launched beneath an open supply license from tomorrow (October 14).
The announcement comes as software supply chain attacks explode, with “upstream” open supply parts usually within the firing line. Numerous organizations, from authorities businesses to firms, have been hit by targeted software supply chain attacks previously yr, main President Biden to issue an executive order outlining measures to fight the threats, whereas “large tech” has also upped their investments in defending important open supply software program.
Safe the software program provide chain
ThreatMapper basically scans runtime environments for vulnerabilities throughout the software program provide chain, serving to corporations to contextualize recognized threats and prioritize ones that want addressed most urgently.
At a time when many corporations are “shifting left” when it comes to focusing their safety checks earlier within the improvement (pre-deployment) course of, ThreatMapper acknowledges that vulnerabilities nonetheless very a lot exist in manufacturing software program, scanning proprietary and third-party (e.g. open supply) functions and parts for vulnerabilities.
ThreatMapper is constructed on high of dozens of neighborhood feeds which might be utilized by different open source software security scanners on the market, together with the the Nationwide Vulnerability Database (NVD). It additionally funnels into databases from numerous distributors, working system distributions, language maintainers, and GitHub repositories.
Deepfence initially launched ThreatMapper as a freemium, proprietary product final yr, and within the intervening months the corporate has labored with “early adopters” from the developer safety operations (DevSecOps) neighborhood to refine the product and make it totally open supply.
“ThreatMapper has been a studying expertise, as we thought-about how the know-how would evolve, the way it might be put to make use of, and what enterprise mannequin we might put in place to maintain it,” Deepfence’s head of merchandise and neighborhood Owen Garrett instructed VentureBeat. “Open-sourcing the know-how too early would have been a distraction and would have created exterior stress, whereas we iterated on totally different roadmaps and fashions.”
Whereas ThreatMapper will shortly be obtainable beneath an Apache 2.0 license, Deepfence can be renaming its business enterprise product as ThreatStryker, which is being transitioned right into a runtime risk mitigation product utilizing insights from ThreatMapper to mannequin the “evolution of refined assaults,” offering advance warnings of threats and taking actions to dam the supply of the assault and quarantine any workload that has been compromised.
Within the coming months, Deepfence can be planning emigrate among the current premium options over to the open supply challenge, resembling deep packet inspection (DPI) for community visitors and community and useful resource anomaly detection. And it’s additionally making ready to develop Deepfence into extra of a platform by launching APIs to allow builders to combine ThreatMapper insights into different apps.
“Experimenting in personal, with out open-sourcing the code too early, has allowed us to give you a neighborhood and enterprise mannequin that we consider will serve the neighborhood very properly,” Garrett stated.
VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve information about transformative know-how and transact.
Our web site delivers important data on knowledge applied sciences and techniques to information you as you lead your organizations. We invite you to grow to be a member of our neighborhood, to entry:
- up-to-date data on the topics of curiosity to you
- our newsletters
- gated thought-leader content material and discounted entry to our prized occasions, resembling Transform 2021: Learn More
- networking options, and extra