Deepfence open-sources ThreatMapper to find and rank software vulnerabilities

Join gamers online at the GamesBeat Summit Next next 9-10. November. Learn more about what comes next.


Let it OSS Enterprise newsletter your guide open source trip! Sign up here.

Deepfence, a cloud-native security observation platform used by companies such as Amyris, Flexport and Harness, has open-sourced a tool that automatically finds, maps and ranks application vulnerabilities across environments.

Deepfence was founded in 2017 and focuses primarily on protecting cloud-native workloads spanning serverless, Kubernetes, container and multi-cloud deployments. With Kubernetes, companies can e.g. Implement Deepfence to analyze network traffic, file system integrity, running processes and more, and it works built-in with managed Kubernetes services including OpenShift, Google GKE and Amazon EKS.

While Deepfence has always offered an enterprise edition and a community incarnation known as ThreatMapper, the latter of these will be released under an open source license from tomorrow (October 14).

The message comes as software supply chain attacks explode, with “upstream” open source components often in the firing line. Countless organizations, from government agencies to companies, have been hit by targeted software supply chain attacks in the past year, prompting President Biden to issue a decree outlining measures to combat the threats, while “big tech” has also increased its investment in protecting critical open source software.

Secure the software supply chain

ThreatMapper essentially scans runtime environments for vulnerabilities across the software supply chain and helps companies contextualize identified threats and prioritize those that need to be addressed most quickly.

At a time when many companies are “shifting to the left” in terms of focusing their security controls earlier in the development process (pre-installation), ThreatMapper recognizes that there are still many vulnerabilities in production software, proprietary and third-party scanning (e.g., open source ) applications and components for vulnerabilities.

ThreatMapper is built on top of dozens of community feeds used by other open source software security scanners out there, including the National Vulnerability Database (NVD). It is also channeled into databases from various vendors, operating system distributions, language holders, and GitHub repositories.

Above: ThreatMapper by Deepfence goes open source

Deepfence originally launched ThreatMapper as a freemium, proprietary product last year, and in the intervening months, the company has been working with “early adopters” from the developer security operations (DevSecOps) community to refine the product and make it fully open source.

“ThreatMapper has been a learning experience as we considered how the technology would evolve, how it could be used, and what business model we would put in place to maintain it,” Deepfence product manager and community Owen Garrett told VentureBeat. “Open sourcing of the technology prematurely would have been a distraction and would have created external pressure while we repeated on different roadmaps and models.”

Although ThreatMapper will soon be available under an Apache 2.0 license, Deepfence will also rename its commercial enterprise product to ThreatStryker, which is being transformed into a threat management product using ThreatMapper insights to model “the evolution of Sophisticated attacks “, and provides advance warnings of threats and action to block the source and quarantine of the attack for any workload that has been compromised.

In the coming months, Deepfence also plans to migrate some of the existing premium features to the open source project, e.g. Deep packet inspection (DPI) for network traffic and detection of network and resource anomalies. And it’s also preparing to develop Deepfence into a more platform by launching APIs, allowing developers to integrate ThreatMapper insights into other apps.

“Experimenting privately, without opening the code too early, has allowed us to come up with a community and business model that we believe will serve society very well,” Garrett said.

VentureBeat

VentureBeat’s mission is to be a digital urban space for technical decision makers to gain knowledge about transformative technology and transactions. Our site provides important information about data technologies and strategies to guide you as you lead your organizations. We invite you to join our community to access:

  • updated information on topics that interest you
  • our newsletters
  • gated thought-leader content and discount access to our valued events, such as Transform 2021: Learn more
  • networking features and more

sign up

Leave a Comment