EdgeBit Blog

EdgeBit customers can now sync open security issues into the Vanta compliance platform. Vulnerability management is a key part of meeting SOC2, ISO 27001, HIPPA, PCI and other legal requirements for software vendors.. We’ve partnered with Vanta to give EdgeBit customers greater context and increased automation around vulnerability management in their compliance programs. Automating Vulnerability Tracking for SOC2 and ISO 27001 Within the Vanta dashboard, security issues will display under Tests, grouped by severity and populated with an SLA due date for remediation.

In November 2023, the New York Department of Financial Services published the second amendment to its cybersecurity requirements for institutions based in New York. Included are stricter standards for vulnerability management and application security for both internally and externally developed apps. Vulnerability Management NYDFS 500.5 contains changes strengthening vulnerability management practices, with an emphasis on dialing up the urgency based on risk and material system changes. Real-time knowledge of your app infrastructure is the only way to manage the constant flux of app changes that affect your risk:

The first step in understanding the attack surface of an application is to understand its makeup. This is typically done with a Software Bill of Materials (SBOM), generated from a tool like Syft as part of a build pipeline. The resultant SBOM can then be analyzed with a vulnerability scanning tool to determine all of the vulnerabilities that potentially exist within an application (some of those tools are better at reducing false positives).

This post summarizes a paper the EdgeBit team published and presented at the Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED ‘23) event at ACM’s 2023 conference on Computer and Communications Security in Copenhagen. As a security team, it is not realistic to close out every security issue across your apps and infrastructure. Understanding your risk and tracking your list of known vulnerabilities is attainable however. This goal is shared by the Federal government in cybersecurity regulations kicked off by the 2021 executive order.

The new CVSS v4 specification is out. CVSS is the Common Vulnerability Scoring System which is commonly used within vulnerability databases like the National Vulnerability Database (NVD) and Open Source Vulnerability Database (OSV). EdgeBit uses both of these databases as inputs to the security platform and we’re excited about CVSS v4. Why care about any of these specs or their changes? Incorrect prioritization can leave open a gap that attackers are utilizing.

EdgeBit’s October release brings new tools for security teams to optimize their vulnerability management workflows: SLA tracking with customizable policies per Project Automatic VEX report generation per Component Expanded GitHub integration for a better PR experience New Jira integration for plugging into existing security workflows We previously announced expanded tracking for OS vulnerabilities and recently used it to reverse engineer GKE and EKS patching practices. It is very cool to see Google and Amazon prioritizing fixes using the same methodology as EdgeBit.

A security scanner detects 73 vulnerabilities. If all of the CVEs correspond to dormant code…how many security issues do you have to fix…0 or 73? I’d argue that it’s in the middle — you now have 73 low priority issues to fix. This post will reverse engineer the patching practices of Amazon and Google for Nodes under Kubernetes and show how they seem to agree with the practice of deprioritizing vulnerabilities in dormant code.

Since joining EdgeBit, I’ve had the opportunity to get acquainted with eBPF, or simply BPF, and I thought I’d share my experience with it. Generally speaking, there are a few sharp corners but the capabilities it provides are quite impressive. Tracing the running kernel with simple BPF hooks feels like a super power, and it’s invaluable when trying to follow the flow of logic when reading the kernel source code.

Akul Gupta is a Computer Science student at The University of Illinois Urbana-Champaign and joined EdgeBit for a software engineering internship. EdgeBit interns exercise engineering skills and software design on real world problems in EdgeBit’s software supply chain security platform. Akul breaks down a few of his projects in this post. At EdgeBit, we’re always striving to push the boundaries of what’s possible in the realm of cybersecurity. Our latest achievement?

Generative AI and more traditional machine learning unlock huge potential but also bring sprawling ecosystems of dependencies with them. Many of these projects are extremely fast moving, and with layers of transitive dependencies, it’s hard to keep up. ChatGPT application I recently loaded up a sample OpenAI application from reflex.dev into EdgeBit. The app embeds a simple ChatGPT interface using the reflex tool. Reflex is a toolkit for making full-stack web apps in Python; frontend included.

Many of the popular SBOM formats are JSON-based, but merging two SBOMs together with standard JSON tools does not work well. For example, any other jq examples you may find on the web do not work with SBOMs. To save you a bit of researching, below is an extremely simple Bash script that combines two SBOMs and returns the output so it can be piped into another file. Platforms like EdgeBit can help you manage SBOMs, but sometimes you need a simple tool for quick investigation.

I joined Brian Gracely on episode 710 of the Cloudcast to discuss SBOMs, supply chain security and cloud-native security. Here’s a quick breakdown of the topics we covered, starting at 4:45. Starting EdgeBit Welcome to the show Rob. Tell us a little bit about your background and what led you to start Edgebit. I’m founder and CEO of Edgebit and we’re building a software supply chain security platform. But my background is in kind of cloud infrastructure and containers.

Today we are excited to introduce a set of features that allow software engineers to view an enriched history – a stream of SBOMs – for each component of their stack. Companies that fall under FDA, NIST, or PCI v3 regulations, or sell to the Federal government must comply with software supply chain regulations. The meat of these regulations is to provide software bills of materials (SBOMs) and vulnerability disclosure reports (VDRs) as part of your software sales process or medical device certification.

New FDA requirements go into effect October 1, 2023 for all new premarket submissions of medical devices. Let’s break down what they are and how software companies can meet them. Cybersecurity Requirements These changes were passed into law on December 29, 2022 in the 2023 “Omnibus” budget. Section 3305 of the Omnibus added a section called “Ensuring Cybersecurity of Medical Devices” to the FDA’s charter. Here’s a preview of the requirements:

A comprehensive security posture is built on successful vulnerability management. The firehose of security issues is coming whether you like it or not. Successful programs must cut through the noise. The teams at Lyft (blog) and Elastic (blog) have both recently shared details about how they prioritize and remediate CVEs. They both share a common trait that is so critical we built EdgeBit around it — context about how your software is executing right now is the most effective filter to ensure engineering teams focus on real threats.

EdgeBit’s May release expands our previously announced ability to deploy through Kuberentes and connect your Kubernetes workloads back to supply chain artifacts in your build pipelines. Civo Kubernetes Civo Kubernetes comes in two flavors, one using k3s with Alpine Linux and one using Talos Linux. The EdgeBit Linux agent has been tuned to some of the differences between k3s and mainstream Kubernetes. Our engineering team worked with the Civo team to streamline Alpine configuration of fanotify, eBPF and BTF (BPF Type Format, the metadata format which encodes the debug info for BPF programs).

Today we are excited to announce support for Kubernetes within EdgeBit, enabling companies to gain easy insights into software vulnerabilities within their clusters in addition to their cloud machines and bare metal servers. DaemonSet Based Agent Deployment Deploying the EdgeBit agent on Kubernetes clusters is now as easy as kubectl deploy. By deploying the agent as a DaemonSet, the administrators can use the standard Kubernetes tooling and avoid installing it directly on the host via a tarball or a package manager.

We’ve heard people say that the only way to fix the vulnerability firehose is with automatic patching. Automating the vulnerability management process is certainly key but the complete fire-and-forget approach is fraught with problems. In this post, we’ll explore why it’s not as simple as enabling dependabot. Fully automated = win? Scanning a code repository for dependencies and the associated vulnerabilities is the first step in the process. There are many tools available today that are capable of this task.

EdgeBit’s mid-March release adds multi-arch support to the EdgeBit Linux agent so you can cover your entire x86 and ARM64-based fleet and expanded container runtime support. ARM64 Architecture Performance and price trade offs make ARM instances in the cloud a popular choice for some workloads, and now EdgeBit supports these machines with v0.2.0 of the Linux agent. The agent quick install script will now detect and use the correct architecture. RPM and Deb packages are also updated for each architecture.

You’ve likely heard of an SBOM – a software bill of materials. It’s an accounting of the libraries and dependencies in your application. You might be aware of its two companions: Vulnerability Disclosure Report (VDR) Vulnerability Exploitability eXchange (VEX) Let’s learn what each of these are and how they keep our supply chains secure. What is a Vulnerability Disclosure Report? NIST’s Software Supply Chain Security guidance covers “(ix) attesting to conformity with secure software development practices;” and provides further guidance on how to accomplish that with a Vulnerability Disclosure Report.

Today I want to discuss a new concept: the real-time software bill of materials (SBOM). A real-time SBOM is an inventory of a live server, with a filter for packages and libraries that are active and running. EdgeBit is a tool to secure your software supply chain that focuses on code that is actually running. This simplifies vulnerability management as it cuts through noise. The real-time SBOM is the brains behind the noise reduction.

ThreatVector is an ongoing series where we break down recent security incidents in the news to understand how they happened, how they spread and what the ramifications are for companies as they evolve their defenses. LastPass recently updated details on it’s latest security incident, in which cloud storage was accessed that stored unencrypted customer details as well as certain unencrypted data like website URLs that was stored adjacent to the encrypted fields: username, password, secure notes, etc.

The identity of your code – a cryptographic hash of it – can’t be spoofed or stolen. This is a powerful property that can make your infrastructure extremely secure. Let’s explore this concept by building up to making a request to Amazon’s Key Management Service (KMS) to return a decryption key that only a specific piece of code should have access to. At build time: calculate the expected values of our cryptographic hashes record these into an access policy record these into an audit trail to find code when given a specific hash At run time: calculate the actual values sign an attestation containing these values, anchored by trusted party Optional, but useful at run time: provide guarantees the environment won’t be mutated from our trusted state provide guarantees that sensitive data can’t be read from memory by other processes provide protection from unwanted network egress Each of these properties is fulfilled by AWS Nitro Enclaves, a form of secure enclave like your iPhone contains, but on a server.

Today we introduce a new open source tool, Enclaver to aid engineers in building, testing and running code within secure enclaves, starting with AWS Nitro Enclaves. View on GitHub ★ Star on GitHub Read Docs Enclaver is the start of the technological foundation for achieving EdgeBit’s mission: to empower cloud services to consume and process data securely – in a way that maintains customer control over data, without getting in the way.

ThreatVector is an ongoing series where we break down recent security incidents in the news to understand how they happened, how they spread and what the ramifications are for companies as they evolve their defenses. Details have just emerged about a devastating, wide-ranging compromise of Uber from their corporate network, VPN, Google GSuite and their production AWS infrastructure, including databases. Our last ThreatVector post covered how social engineering allowed the Twilio compromise and subsequent Signal account takeover and this situation appears to have unfolded in similar fashion:

The rise of Software as a Service (SaaS) has unlocked an immense amount of value for enterprises and consumers alike. The cost of that value has been control over your data. With security incidents and sophisticated vendor traversal attacks (like the Aug. 2022 hack of Twilio & Signal) becoming more commonplace, the lack of control is starting to show its true cost. Introducing EdgeBit We’re founding EdgeBit because we believe that we can solve this problem – to empower SaaS services to consume and process data securely – in a way that maintains customer control over data, without getting in the way.

ThreatVector is an ongoing series where we break down recent security incidents in the news to understand how they happened, how they spread and what the ramifications are for companies as they evolve their defenses. The messaging and communications giant Twilio was attacked via a social engineering on August 4, 2022 with an unknown number of employee accounts being taken over but 125 customers impacted. There are a few notable attributes about this attack: