Data Theorem Launches Industry’s First Software Supply Chain Attack Surface Management Product to Identify Third-Party Assets and AppSec Violations

Data Theorem’s Supply Chain Secure Product Uniquely Discovers Third-Party Assets Across the Application Full-Stack with Continuous Runtime Analysis and Dynamic Vendor Management

PALO ALTO, Calif.--()--Data Theorem, Inc., a leading provider of modern application security, today launched Supply Chain Secure, the industry’s first attack surface management (ASM) product to address software supply chain security threats across the application full-stack of APIs, cloud services, SDKs, and open source software. Data Theorem uniquely identifies third-party vulnerabilities across the application software stack with continuous runtime analysis and dynamic inventory discovery that goes beyond traditional source code static analysis approaches and processing of software bill of materials (SBOMs).

High-profile security breaches such as SolarWinds, Kaseya, and Apache Log4j demonstrated the widespread damage that can occur for enterprise supply chains if third-party APIs, cloud services, SDKs, and open-source software have security flaws, which allow hackers to infiltrate systems, initiate malicious attacks, and extract sensitive data. These headlining hacks expose coverage gaps found in traditional static code analysis tools and the lack of security insights in most vendor management programs.

According to Gartner®, “Seventy-two percent of business professionals expect their third-party networks to expand moderately or significantly in the next three years.”1 Gartner in another report stated that, “By 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chain, a three-fold increase from 2021.”2

Current software supply chain security approaches have focused on either vendor management or software composition analysis (SCA). However, these approaches often lack source code access for mobile, web, cloud, and commercial-off-the-shelf (COTS) software, as well as third-party API services. While neither approach can perform continuous runtime security monitoring, now with Data Theorem’s Supply Chain Secure product organizations can benefit from a full-stack attack surface management (ASM) solution that delivers continuous third-party application asset discovery and dynamic tracking of third-party vendors. Data Theorem’s new supply chain product can automatically categorize assets under known vendors, allow customers to add additional new vendors, curate individual assets under any vendor, and alert on increases in policy violations and high embed rates of third-party vendors within key applications. These automated capabilities allow vendor management teams to remedy supply chain security problems faster and easier.

The Apache Log4j vulnerability highlighted how difficult the current state of dynamic asset discovery between first-party and third-party software can be for every organization building and deploying software. Log4shell hacking that impacted over 3 billion devices globally illustrated the widespread risk that can occur with only a single exploitation in the software supply chain. The flaw showed how important generating an accurate software bill of materials (SBOM) can be to improving the security of third-party supply chain risk. Data Theorem’s Supply Chain Secure product ingests SBOM files from vendors and its Analyzer Engine can dynamically generate SBOM inventories based on the applications themselves. Comparing the delta between what has been documented as third-party software versus what the runtime application actually contains is an important aspect of any attack surface management effort to understand the real-world exposure of third-party software vulnerabilities.

According to a Gartner report, “Software bills of materials (SBOMs) improve the visibility, transparency, security and integrity of proprietary and open-source code in software supply chains. To realize these benefits, software engineering leaders should integrate SBOMs throughout the software delivery life cycle.” The report further states, “By 2025, 60 percent of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20 percent in 2022.” Gartner also mentions that, “SBOMs are an essential tool in your security and compliance toolbox. They help continuously verify software integrity and alert stakeholders to security vulnerabilities and policy violations.”3

“While other software supply chain security approaches have emerged, no solution uses full-stack application runtime analysis and dynamic inventory discovery to support the challenges around vendor management,” said Doug Dooley, Chief Operations Officer at Data Theorem. “Data Theorem’s Analyzer Engine with attack surface management (ASM) enables organizations to conduct continuous, automated security inspection with application telemetry collection. This allows customers to have a better handle on the third-party software supply chain assets and exposures within their vendors, suppliers, and their own software stacks.”

Data Theorem’s broad AppSec portfolio protects organizations from data breaches with application security testing and protection for modern web frameworks, API-driven microservices and cloud resources. Its solutions are powered by its award-winning Analyzer Engine, which leverages a new type of dynamic and run-time analysis that is fully integrated into the CI/CD process, and enables organizations to conduct continuous, automated security inspection and remediation. Data Theorem is one of the first vendors to provide a full stack application security analyzer that connects attack surfaces of applications starting at the client layers found in mobile and web, the network layers found in APIs, and the infrastructure layers found in cloud services.

Availability and Pricing

Supply Chain Secure is available today directly from Data Theorem. Pricing starts at $15,000 USD annually. For more information, see https://datatheorem.com/products/supply-chain-secure.

Note 1 – Gartner, “Improve Third-Party Risk Management by Clarifying Procurement’s Role,” by Procurement Research Team. Aug. 16, 2021
Note 2 – Gartner, “How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks,” by Manjunath Bhat, Dale Gardner, and Mark Horvath. July 15, 2021
Note 3 – Gartner, “Innovation Insight for SBOMs,” by Manjunath Bhat, Dale Gardner, and Mark Horvath. Feb. 14, 2022
Disclaimer – GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

About Data Theorem

Data Theorem is a leading provider of modern application security, helping customers prevent AppSec data breaches. Its products focus on API security, cloud (serverless apps, CSPM, CWPP, CNAPP), mobile apps (iOS and Android), and web apps (single-page apps). Its core mission is to analyze and secure any modern application anytime, anywhere. The award-winning Data Theorem Analyzer Engine continuously analyzes APIs, Web, Mobile, and Cloud applications in search of security flaws and data privacy gaps. The company has detected more than 5 billion application incidents and currently secures more than 25,000 modern applications for its enterprise customers around the world. Data Theorem is headquartered in Palo Alto, Calif., with offices in New York and Paris. For more information visit www.datatheorem.com.

Data Theorem and TrustKit are trademarks of Data Theorem, Inc. All other trademarks are the property of their respective owners.

Contacts

Dan Spalding
dan@datatheorem.com
(408) 960-9297