introduction
The modern software supply chain represents an ever-evolving threat landscape, with each package added to the manifest introducing new attack vectors. To meet industry requirements, organizations must maintain a rapid development process while staying up to date with the latest security patches. However, in practice, developers often tackle a large amount of security work without clear prioritization and miss a significant portion of the attack surface altogether.
The main problem stems from the detection and prioritization methods used by traditional static code analysis (SCA) tools for vulnerabilities. These methods lack the organization-specific context needed to make an informed scoring decision: the score, while critical, may not be Actually be critical to an organization because its infrastructure operates in a unique way, influencing the actual impact the vulnerability could have.
In other words, because these tools depend on a relatively naive methodology to determine the risk of a vulnerability, they end up resulting in mostly irrelevant vulnerability scores, making it much more difficult to determine which vulnerabilities to address first.
They also do not face many supply chain attacks, such as typosquatting, malicious code injection, CI/CD attacks, etc. This oversight misleads Application Security (AppSec) teams and developers to focus on less critical issues, thereby delaying the development process and leaving the organization vulnerable to significant attack vectors.
Myrror Security develops innovative solutions to these challenges by revolutionizing how organizations detect, prioritize and resolve supply chain risks. Myrror’s platform ensures that AppSec and engineering teams tackle the right problems at the right time using binary-to-source analysis for every third-party package in the code base. Unlike traditional SCA tools that evaluate impact using version-level detection in manifest files, Myrror uses a proprietary reachability vulnerability analysis algorithm. This algorithm identifies which vulnerabilities are actually reachable in production, thus allowing Myrror to prioritize security issues accurately.
This platform review will walk you through the entire Myrror user journey, from initial SCM integration to remediation plan generator, and provide a concise overview of the innovations Myrror Security introduces to prevent alert fatigue, enable your organization to work more effectively and protect it from the threats of the modern software supply chain. To get a personalized demo, visit their website here.
Getting started and setup
Myrror is designed for easy installation onto your organization’s existing source code management platform. When Myrror is connected to your SCM, it begins a process of discovering your organization’s dependencies. The organization can then select specific repositories for active vulnerability and supply chain attack scanning, providing a prioritized overview of identified risks.
The Discovery section
This section helps you take stock of the supply chain risk associated with your codebase and determine the actual threat landscape you are exposed to from your open source dependencies.
The Repositories tab shows all issues in each monitored repository and lets you choose which to monitor and which to ignore. This will allow you to remove some noise associated with repositories that are not in active use, will soon be deprecated, or are simply irrelevant. This tab acts as your control panel over all your repositories. Complete the issues screen by directing you to the most at-risk archives, allowing a “bird’s eye” view of threats at the project or application level.
The Dependencies tab aggregates every open source dependency in your code base and creates a graph of all the repositories where each is used. This key overview helps you get a complete picture of the open source libraries your organization relies on. Despite the immense increase in open source repositories in virtually every software project, organizations have no control over external dependencies; Taking inventory of what’s being used in the code is the first step in checking what’s happening.
The mirror dashboard
Once the installation is complete and the user chooses the repositories to scan, the Myrror dashboard is populated with information about the repositories, their dependencies, and the issues they contain. When the user chooses to monitor additional repositories or connect more SCM sources, the dashboard is automatically updated with more information about the new codebases.
The dashboard provides high-level insights into issues across your organization’s entire set of codebases, including:
- Tracking status
- Problems by category
- Dependencies with safe state
- The riskiest repository
- Problems by code language,
- Status of repair
- Exhausted data dependencies
- And more
These charts and graphs generate a detailed and comprehensive overview, providing organizations with clear information on the areas that require the most work. Note the repository filter at the top right: this allows specific teams to get precise information about their work and the repositories they are responsible for and export only the data that is relevant to them.
The problems screen
This is the heart of the Myrror Security platform. Here, all your issues are prioritized and marked based on their actual severity, reachability, and exploitability for a clear understanding of what to tackle next. Various parameters are organized into columns, offering deeper insights into each specific issue.
Among these parameters, the reachability column distinguishes Myrror from traditional SCA platforms. Evaluate whether the issue is actually reachable in production, what factors drive prioritization, ensuring reachable vulnerabilities can be addressed first.
But the platform doesn’t just prioritize vulnerabilities based on reachability: It also considers whether it’s a direct or indirect dependency, whether a workaround is available to fix the issue, and whether an exploit has been confirmed to exist in the wild . All these parameters help the platform prioritize issues accurately and reliably.
You can see all of the following information about each vulnerability:
- Severity (taking into account all the above factors)
- Origin
- Reachability
- Dependency files
- Category – Supply Chain Vulnerability/Attack (more information in the Supply Chain Attack Detection section)
- Take advantage of availability
- Fix availability
- Dependency relationship
- Seen for the first time
- Original commitment
Filters (including a repository filter) are available here as well, along with an option to export the table and download insights for reporting. This helps security teams maintain records in local storage and generate internal audit reports. These reports, emailed to the user, contain comprehensive information directly from the platform that can be shared with other team members and stakeholders.
Please note that there are 3 different tabs available on this screen:
- The “All” tab contains all issues combined, providing data insights into a single page about the overall supply chain threat landscape, including vulnerabilities and attacks.
- The “recommended” tab contains specific issues recommended for resolution based on severity and reachability – essentially the “go-to” pane when deciding what to tackle first.
- Finally, the “Low Risk” tab has issues you can address later.
Each issue also has its own in-depth analysis, with insights into the impact, scope and origin of the issues shown on a single screen. This detailed overview provides external links to the CVE to learn more, as well as information on affected repositories and a concrete remediation plan to ensure rapid action can be taken on each issue.
The main tabs available on this screen are:
- Details: A primary overview of the supply chain vulnerability or attack
- Affected Repositories: A list of all repositories that depend on this package, allowing you to “connect the dots” across the entire monitored codebase
- Remediation plan: Myrror calculates the optimal remediation path, ensuring that the fewest newly introduced vulnerabilities end up in the codebase once the remediation process is complete
- Attack overview (see next section for more details)
Supply chain attack detection
Please note that Myrror doesn’t just detect vulnerabilities, it also detects various forms of supply chain attacks, including but not limited to:
- Typosquatting
- Dependency confusion
- Malicious code in repository/code injection
- CI/CD connection
When it detects such attacks, the detection mechanism and remediation plan may not be as simple as regular vulnerabilities. In these cases, Myrror will show a more in-depth analysis of the attack, allowing professionals to understand the situation and pinpoint the concrete link in the chain that is at fault. See below for an example of Myrror’s analysis of a code injection attack:
The repair plan generator
Planning remediation efforts typically requires understanding new threats introduced during patching. In most cases, applying a patch results in a new set of vulnerabilities due to the new dependencies (and their transitive dependencies) introduced.
For each monitored repository, Myrror simplifies the troubleshooting process by automatically calculating the number of fixes available for all issues, how many new vulnerabilities will be introduced during the remediation process, and how many issues will remain at the end.
Conclusion
AppSec teams today suffer from profound alert fatigue, caused by an overwhelming amount of security issues and a lack of clear prioritization of what to work on first. Furthermore, most teams are completely unaware of the supply chain attacks they are exposed to and have no clear path to detect them or offer appropriate solutions.
Myrror’s reachability-based prioritization offers a way out of vulnerability hell. At the same time, their binary-to-source analysis mechanism enables the detection of more than just vulnerabilities and helps defend against a variety of supply chain attacks.
You can book a demo to find out more on their website here.