Israeli application security startup Backslash Security Inc. today announced a large number of updates to its platform that will enhance “reachability,” or attackability, analysis and security for the enterprise across the full application development lifecycle.

New features include on-premises integrations, security team workflow integrations and automation features, continuous integration and deployment features for DevOps teams and broadened language support for developers. With these new capabilities, Backslash will allow developers, security and operations to work more tightly during application and development lifecycles to catch issues before they become problems.

Backslash combines toolsets of software composition analysis and static application security along with vulnerability exploitability exchange and secrets detection to replace outdated legacy practices and tools. Its tools allow developers and security teams to understand concealed risks and prioritize those with the highest likelihood of becoming real-world problems based on their real-world impact. Vulnerabilities and issues that arise in code that are caught early can stop major headaches, leaks or massive catastrophes later after applications are deployed.

“Backslash enables enterprises to prioritize truly critical code risks and facilitate trust among the many teams and stakeholders within the software development lifecycle,” said Yossi Pik, co-founder and chief technology officer at Backslash.

With this update, Backslash now offers integrations with GitHub Enterprise On-Premises, Enterprise Server, GitLab On-Premises and BitBucket On-Premises, which will give development teams access to code repositories directly on-prem with the security tools. Developers will also get better support for common languages including C, C++, Ruby, Rust and Scala, including third-party libraries and dependencies. The company also added new role-based control access that will allow large enterprises and security teams to control access and manage the platform for varied user bases across their organizations.

Automation controls added to Backslash will allow users to build security workflows and generate tickets in collaboration platforms including Jira, Monday.com, ServiceNow, Slack and Microsoft Teams. For DevOps teams, support for CI/CD pipelines will allow the integration of DevSecOps practices with Gitlab Pipelines, GitHub Actions and Azure Pipelines, which will allow code request scanning and prevent new issues from being introduced during automated code development and deployment phases.

Reachability analysis improvements will help users discover what Backslash calls “phantom packages,” which are software packages not defined or directly governed by an app developer but introduced in a transitive way, thus escaping easy discovery, inspection and control. As a result, they can create unexpected behavior and vulnerabilities. With this analysis, developers can discover which packages are reachable and therefore exploitable, allowing them to prioritize fixes.

The analysis dashboard also has a new user interface with features that assist with reachability evidence to highlight code references for each reachable path.

“There are two core elements that make AppSec teams successful – one is cutting through the noise to prioritize truly reachable and exploitable vulnerabilities; the other is building confidence with our developers to trust that the risks we flag are real, and worth their effort to investigate and fix,” said Yossi Pik, head of security and compliance at Capital Rx Inc., a pharmacy benefits management company. “Backslash’s focus on reachability analysis enables us to achieve both.”

Images: Backslash Security