Enhance Software Composition Analysis (SCA) with Reachability | Arnica

Today, Arnica is introducing Reachability, an innovative enhancement to our Software Composition Analysis (SCA) solution. Arnica’s Reachability feature enables engineering and security teams to evaluate whether third-party packages are truly exploitable by determining if the vulnerable functions are reachable in your application’s code. Arnica takes a pipelineless approach to Reachability to ensure that vulnerabilities are detected in real-time.

What Arnica built 

Arnica’s Reachability feature provides a new layer of context and intelligence to your Software Composition Analysis (SCA) approach by identifying whether an exploitable function is actually called within your application. We do this by conducting deep analysis of function-level vulnerabilities, ensuring that reachability is highlighted within the git context of every finding. Arnica is able to conduct this analysis across both direct and transitive dependencies, as well as correlate potential reachability between git branches. 

How is Arnica’s Reachability different? 

Pipelineless Reachability Analysis

Arnica’s pipelineless approach is optimized to provide reachability information, in real-time, to the developer on every code push, while they’re still working on that code. This approach ensures developers are able to address critical vulnerabilities as they are developing their code. This approach runs counter to the norm of requiring a full git clone to scan for reachability, which results in slower feedback. 

Cross-Branch Correlation

Function-level reachability can happen at different times, be introduced by different developers (e.g. one developer introduces the use of the vulnerable function, another pushes a package update), and can happen across all git branches. Arnica builds context across branches and enriches each finding with a confidence level based on this context. 

For example, a package with version X.1 may be calling a function that is only exploitable in version X.2. When a developer pushes a package update to version X.2 in a feature branch, that developer will then get notified, in real-time, about the future reachability of the vulnerability in the production code. 

Reachability in Arnica

What are the primary use cases for reachability?  

Arnica’s implementation of Reachability within Software Composition Analysis (SCA) supports a number of core use cases for Arnica customers. 

  1. Reduce Unhelpful Security Noise: If your reachability solution only filters out false positives, the reachability to-do list can remain overwhelming. Arnica enriches all findings with context, such as reachability, exploitability (EPSS), package depth, and more. This helps our customers prioritize only the most crucial findings with developers. 
  2. Predictive Vulnerability Management: Arnica determines whether previously non-reachable vulnerabilities are now exploitable. This check happens in real-time when a developer pushes new code. 

As is the case with everything we build, Arnica’s enhanced Reachability detection drives security outcomes while unburdening developers from wasted effort. 

Book some time with the Arnica team to see for yourself and join our beta

About Arnica

Enterprises today are faced with the need to harden their DevOps ecosystem to combat the proliferation of Software Supply Chain Attacks. These organizations are faced with the growing challenge of balancing development velocity, cost efficiency, and security.

Managing excessive developer permissions and identifying corresponding anomalous behavior are two obstacles in the way of establishing this equilibrium. Arnica was established to solve these obstacles by providing a seamless and frictionless active mitigation platform for exactly these issues and more. Arnica is the easy button for DevOps security.

Arnica analyzes excessive permissions, code risks and misconfigurations across the developer toolset and mitigates them.

Contact Arnica Press Team

press@arnica.io

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}