AppOmni has made available an open source tool that automatically scans pull requests (PRs) to flag risky or newly published dependencies before they are merged.
Dubbed Heisenberg, the tool can also be used to create a software bill of materials (SBOMs) that makes it easier to discover dependencies as code is being written.
Yevhen Grinman, lead product security engineer at AppOmni, said the company’s software engineering team developed Heisenberg to secure the code used to build a platform for securing software-as-a-service (SaaS) applications using a lightweight tool that focuses on what changed in the PR versus rescanning it every time.
Designed to be invoked either via a command line interface (CLI) or embedded into a GitHub Action workflow, Heisenberg makes it simpler for DevSecOps teams to enforce best practices using a tool that is readily accessible within their preferred JavaScript, Python or Go workflows, he added.
Additionally, the ability to create an SBOM based on live data in their development environment also enables application developers to move beyond static SBOMs that are more often than not out of date, noted Grinman. Heisenberg instead provides application developers with what amounts to an instrumentation panel for keeping track of dependencies within a DevOps workflow, he added.
Named after an alias that the lead Walter White character in the Breaking Bad television series assumed, the tool promised to provide a simple way to keep track of the ingredients that make up any software package.
The overall goal is to prevent application security issues from occurring in the first place and, when they do, make it simpler to rely on an SBOM to pinpoint where exactly the affected software packages are being used.
Despite years of effort, adoption of best DevSecOps practices remains uneven. Most application developers are a lot more focused on building new features than they are on security checks. As a result, the number of known vulnerabilities making their way into production environments remains stubbornly high, an issue that is only being further exacerbated with the rise of artificial intelligence (AI) coding tools that generate vulnerabilities at higher levels of scale.
In theory, the easier it is for application developers to do the right application security thing, the odds that known vulnerabilities are being passed along to production environments should diminish. Unfortunately, many of the legacy security tools provided to application developers take too long to run. They are also prone to generate too many false positives that tend to distract application developers from the task at hand.
Of course, ignoring security alerts only increases the probability that code will be rejected when it is reviewed by software engineers. Once that occurs, the main reason an application developer bypassed security to meet a deadline becomes a self-defeating proposition. The challenge and the opportunity now is to strike a balance between a tool that provides relevant insights when needed and other tools that while providing arguably deeper insights also surface more analysis than most developers can cognitively process.
