Cloud security company Lacework Inc. today announced the addition of new code security features that provide Lacework customers full visibility throughout the complete application development lifecycle.

Lacework’s new code security features have been designed to prevent security issues from being exposed in the wild by identifying them before the code is deployed. The service also assists in prioritizing and fixing problems faster, wherever they are found in the application lifecycle.

The release reflects Lacework’s belief that the best way to achieve security outcomes with speed requires continuous visibility and context, including knowing where every software package is running and the ability to capture and correlate data across the application lifecycle. The approach is claimed to empower security teams to be more efficient by eliminating the need to stitch together data and findings from different sources, consolidating them into fewer tools that deliver higher value.

The release introduces two new forms of static program analysis: Software Composition Analysis and Static Application Security Testing.

Software Composition Analysis gives customers continuous visibility into third-party software libraries and associated vulnerabilities, including direct and indirect dependencies. The approach goes beyond basic SCA functionality and gives teams constant visibility into exactly where vulnerable functions are used in the code, including how often each is referenced, who was responsible for bringing it in and who owns fixing the code. Customers gain an always-up-to-date software bill of materials for every application, continual visibility into their software supply chain and an understanding of open-source license risk, according to the company.

With SCA as part of the Lacework platform, customers can track a vulnerable package’s entire lifecycle, including its use in source code and its activity within any cloud-native workload. The active vulnerability detection is accomplished using an extension of the Lacework runtime agent known as Code Aware Agent.

Static Application Security Testing complements SCA to provide comprehensive code security capabilities to help organizations understand how first-party code could be exploited. SAST identifies source-code weaknesses in in-house code that attackers could use to bypass security controls, run malicious commands or exfiltrate sensitive data. The tool provides customers with an automated and intuitive secure code review that is easily actionable by entry-level and senior security analysts.

SAST also gives application security engineers visibility into complex vulnerabilities within their most exposed internet-facing applications. Lacework provides an in-depth model of each application, tracking the path of untrusted data to detect and remove zero-day or yet-unpatched vulnerabilities that could result in dangerous exploits such as SQL injection.

Image: Lacework