New product offering extends Deep Code Analysis (DCA) to streamline software risk prioritization, remediation, and prevention with autonomous code-to-runtime mapping
Apiiro, the leading application security posture management (ASPM) platform, today introduced Code-to-Runtime, a new, innovative capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact. Code-to-Runtime is seamless and agentless, requiring only API-based integration to Source Code Management (SCM) and runtime environments without the need for manual tagging, labeling, or other methods. With deeper insight into software architecture, users can now deliver actionable insights to the right developer, making risk prioritization, remediation, and prevention more efficient.
Also Read: CIO Influence Interview with Eric Olden, CEO and Co-founder of Strata Identity
Application security (AppSec) and software development teams allocate valuable time and resources to tracing issues raised by runtime scanners back to the software development and/or DevOps owners. While automated methods can be implemented in an attempt to streamline this process, developers and/or DevOps still need to manually add tags and labels to CI/CD pipelines or use specific naming conventions to identify how code is being deployed. This process requires ongoing education and the addition of automation flows to ensure the chosen method is effectively at use, reducing cost and risks.
With autonomous Code-to-Runtime mapping, Apiiro automatically performs a deep code analysis on code repositories to identify all types of code components including APIs, OSS dependencies, code modules, DataModels, and more. In addition, it analyzes container images and identifies similarities with no setup or intervention required. With Code-to-Runtime, customers can now:
- Streamline risk prioritization and remediation: Prioritize risks detected at the development phase with runtime context and remediate risks detected in runtime with enriched code context. Apiiro provides insight into where code components or toxic combinations of risky code components are deployed using agentless, API-based integrations in customer Kubernetes clusters or CSPM vendors to identify internet exposure. This connection enriches runtime risks with code context including the code owner and locations within code where the vulnerability needs to be addressed to enable successful remediation. This provides AppSec engineers and software developers with the deepest insights into software architecture and full exposure paths including related pipelines that build and deploy the code repository or code module.
- Reduce friction between AppSec, GRC, and development teams: AppSec solutions on the market today don’t have a deep enough understanding of software architectures from code-to-runtime that enables developers to effectively deliver software to production. Apiiro’s deep code analysis (DCA) combined with its Risk Graph engine implements guardrail at the design, development, and delivery phases, eliminating time developers are blocked by silo application security tools or other ASPM platforms by 85%.
- Reduce alert fatigue: Correlate and group different versions of the same container image to create a single risk for a vulnerability detected in multiple versions. Apiiro also correlates between the container risk and the code risk found by software composition analysis (SCA) scanners.
- Gain single pane of glass into Artifact inventories: Achieve complete visibility into complex software architecture with a single, risk-based pane of glass view. Apiiro deduplicates Artifact inventories by pulling information from security tools running in continuous integration, registries, and deployed containers. Information is then correlated with deployment insights from Kubernetes clusters and/or CSPMs to deduplicate and enrich with relevant code context.
“Apiiro’s code-level API inventory and security seamlessly complement Akamai’s runtime API security, creating an end-to-end approach that spans from development to production,” said Patrick Sullivan, chief technology officer, security at Akamai. “With Apiiro’s code-to-runtime matching, we can connect runtime API risks directly back to the code and its owners, allowing us to streamline remediation and reduce Mean Time to Remediate (MTTR). This collaboration gives us a comprehensive view of our API landscape and ensures we focus on critical risks, maximizing efficiency and security and reducing costs across the entire lifecycle of our applications.”
“Apiiro’s new code-to-runtime matching feature brings critical runtime risks into direct context with the code itself, offering valuable insights on where vulnerabilities may need attention and who should address them,” said James Brierley, senior security researcher at GEOTAB. “This approach is a game-changer for prioritization, showing if a vulnerability exists in code actively used in production—allowing us to focus on the most pressing risks first. By integrating deep code-based matching, we’re poised to streamline our process and save resources by connecting runtime issues directly to the right teams.”
“Apiiro is committed to enabling autonomous security across the entire software development lifecycle, and true code-to-runtime matching goes beyond containers and cloud environments,” said Moti Gindi, chief product officer at Apiiro. “Our platform understands that not every code component is relevant to what’s running in production and not every runtime component is relevant to the codebase or person responsible for it. Code-to-Runtime delivers the level of precision required to gather meaningful insights and prevent the influx of false positives that plague other solutions on the market. As evidenced by our partnership with Akamai earlier this year, we’re delivering a holistic approach, matching APIs in code to API endpoints in runtime. This not only enhances overall application security, it enables teams to focus on the most critical issues to foster a more secure and efficient development lifecycle.”
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
