The world of application security has a problem: too many tools and too much noise. It’s been obvious for some time that a unified platform needed to step in to not only centralize various sources of data, but also to contextualize various risks and help businesses prioritize their time spent fixing them. Traditionally, it’s been a real struggle for AppSec tools to keep up with the evolving application risk landscape.
This is where Apiiro comes in. AppSec teams leverage Apiiro for application and software supply chain risk visibility, prioritization, remediation, and measurement. They are defining the “ASPM” category – an acronym for Application Security Posture Management – by providing a more comprehensive understanding of the attack surface of modern cloud applications and using that knowledge to improve existing tools and processes such as threat modeling, penetration testing, and risk assessments.
One of the primary goals of ASPM is to systematically reduce the contextless backlogs for security teams that are constantly flooding in from various tools that are siloed. According to Idan Plotnik, CEO and Co-Founder of Apiiro, “Apiiro is setting the diamond standard for ASPM – combining deep application and risk context with an open platform approach.”
The open platform approach is critical here. The more sources of data – from code security tools like SAST and SCA to runtime security tools like CSPM and runtime API security – that Apiiro can centralize, the more optimization it can do. But an open platform approach is nothing without depth.
Contextualizing ingested findings with a depth of business and architectural knowledge is what helps teams assess and resolve “real” risks. Engineers need to prioritize vulnerabilities that are internet-exposed in production or API weaknesses handling sensitive data, but without deep context, it’s impossible to know where to focus.
The last key component of Apiiro’s approach is its developer-friendly, enterprise-grade ethos. By integrating with enterprise IT systems and developer tools in addition to any and all security tools, Apiiro provides the full-lifecycle visibility and automation needed at scale.
Key Integrations
Wiz – Oh CNAPP!
Wiz is a well-established cloud security company offering what’s known as a Cloud Native Application Protection Platform (CNAPP). Wiz scans every layer of runtime environments with their agentless approach, and those cloud security findings are then ingested by Apiiro.
Apiiro also ingests context from Wiz to enrich and prioritize code security findings based on likelihood (e.g. is a vulnerability internet-facing or deployed) and impact (e.g. is the vulnerability connected to API in the code that exposes sensitive data or in a high impact code repository) to save time triaging backlogs.
According to the press release announcing the recent partnership, the combined efforts of these two companies “help tie production vulnerabilities detected by Wiz to their root cause in application code and associated code owner in Apiiro to improve remediation cycle loops and fix critical risks at the source faster.”
Akamai – Secure the APIs
Akamai API Security provides a complete enterprise-wide view into customers’ API estate and leverages AI and behavioral analytics to prevent business logic attacks. On the Apiiro side, the company provides deep and continuous code analysis to inventory APIs, detect material changes to APIs, and surface weaknesses before they’re committed or deployed.
Together, this technical alliance unifies API risk visibility, prioritization, and remediation from code to runtime, empowering security teams to work collaboratively to reduce risk within this fast-growing attack surface.
Mend.io – Autopilot for AppSec
You may remember the company WhiteSource? Well, they’re now known as Mend.io and they are doing some very interesting things in the world of Software Composition Analysis (SCA). Referred to as the “gold standard” of open source security, they help the world’s largest organizations find and fix vulnerable open source dependencies, comply with license policies, and prevent malicious open source software from entering.
Apiiro ingests these open source vulnerability findings into its open ASPM platform to remove duplicates and help prioritize which open source vulnerabilities are the most critical.
Snyk – Developers love it
Snyk became the cool kid of the cybersecurity world by building a brand that software developers love and by fully embracing the shift-left movement. Since launching in 2015, the company has amassed millions of users and deserves a lot of credit for pioneering the bottom-up appeal of their offering that is atypical to security solutions.
By ingesting vulnerable dependencies that are identified by the Snyk Open Source product, all of the insecure images identified by Snyk Container, and all of the misconfigurations identified by Snyk Infrastructure as Code are ingested by Apiiro’s platform to reduce risk across the entire business.
GitHub – It’s where the code lives
Apiiro’s integrations with GitHub and other Source Control Management (SCM) systems enable the creation of a complete and continuous application and software supply chain inventory. By analyzing code and commit history, Apiiro is able to create a graph-based model of all components, contributors, changes, connections, and associated risks that serve as the foundation for contextualizing security findings.
The integration also provides a developer interface to monitor repositories and provide feedback via pull requests. That automation, coupled with Apiiro’s risk-based prioritization, means developers only get blocked or notified when real, business-critical risks are identified. Teams can also integrate GitHub Dependabot and CodeQL findings into Apiiro for deduplication, enrichment, and prioritization.
ServiceNow – Let’s talk enterprise
ServiceNow is a cloud‑based platform that offers myriad solutions that help digitize and unify organizations so that they can find smarter, faster, better ways to make work flow. Of particular interest in the world of cybersecurity is the ‘ServiceNow Vulnerability Response’ product that helps enterprises effectively manage their risk response. It connects vulnerability insights with enterprise IT workflows to provide a collaborative workspace to remediate risks. Through this new integration, Apiiro is bringing their ASPM to ServiceNow Vulnerability Response, bridging the gap between security, operations, and IT to unify contextual application risk prioritization and IT security response.
These are just six of dozens of key integrations that Apiiro leverages as data sources for its open platform and connects to throughout the development lifecycle. From talking to Apiiro, we know that many more partnerships from major companies across security, operations, and productivity tools are coming this year. Combining all of this data with Apiiro’s deep code context means that businesses will unlock a tremendous amount of insights that otherwise may have looked like an endless backlog.
