Software supply chain security provider, Arnica has introduced real-time scanning tools to its code-security suite, including static application security testing (SAST), infrastructure as code (IaC) scanning, software component analysis (SCA), and third-party package reputation checks. With these new updates, the company claims to be providing a comprehensive security solution that identifies and prevents the introduction of code risks in real-time, using a pipeline-less approach.
Arnica has implemented a pipeline-less security approach which means that all source code repository events are evaluated as code changes are made by developers, allowing them to address known vulnerabilities without requiring their fixes to undergo a build and test pipeline for mitigation. This is a more powerful approach compared to traditional solutions that are integrated into CI/CD pipelines, as 100% of the repositories are monitored, and the feedback is routed directly to developers in a blameless and shameless way.
Arnica’s scheduled code risk scans are available in a free plan, which is not limited to a number of users. However, the real-time scans are available with a paid business plan, and pricing for the business plan is tiered, based on features used, per user identity per month.
Arnica’s attempt to consolidate code-security tools is important as siloed security workflows, which slow down the development process, are still a significant challenge in cybersecurity. For example, integrated development environment (IDE) plugins bring potential risks to light during the developer’s workflow, but maintaining them across different devices is challenging, and they offer restricted visibility to security teams. On the other hand, CI/CD pipeline scanners offer consolidated risk lists to security teams, but their coverage is limited, and they lack the context required to identify the responsible individual for taking appropriate action.
The lack of a comprehensive, unified system creates a significant challenge in achieving complete coverage, and Arnica’s new offerings, including SAST, SCA, IaC, and third-party package reputation checks, are delivered as real-time code risk identification and mitigation capabilities. Arnica leverages native integrations into source code management systems and communication tools, to detect and respond to risks as and when a developer pushes code.
Arnica’s context-based vulnerability alert is designed to enable developers to make an informed fix or dismiss the alert. All unresolved vulnerabilities are also reflected in the pull request, which is a code change/review alert. Companies can also create policies around the alerts to enforce fixes and ensure that developers are cleaning up problematic code before potentially pushing out vulnerabilities.
Arnica’s integrations include source code management systems such as GitHub and Azure DevOps, and communication tools like Slack and Microsoft Teams. The focus on real-time appears to be integration into the developer toolset, helping developers iterate quickly without having to go and fix things later, which is a significant benefit for developers and their speed.
Story Tweedie-Yates, Head of Product Marketing at Kubernetes security company KSOC, appreciates Arnica’s effort at consolidating code security for various types of applications, saying, “It is very helpful to have a tool that can deal with the legacy as well as new applications all under one roof.” She went on to say, “Today’s organizations most often have a mix of applications; those that are brand new and generally built with cloud-native tooling, and those that are ‘legacy’ and still run on-premises. The legacy applications are more often than not custom applications, built before the time when open source started making it possible for developers to assemble applications from various open-source languages and tools. The brand-new applications are much more likely to be assembled versus customized. Technologies like SAST, Dynamic AST, Interactive AST, are more important for custom applications; the legacy applications. Technologies like SCA, IaC scanning are more important for the newer applications.”
Arnica’s move to consolidate code security tools will be significant in speeding up the development process while providing complete coverage of all repositories’ code. Looking ahead, Arnica’s real-time scanning tools will continue to appeal to developers, giving them the ability to identify and prevent code risks in real-time.