GrammaTech unveils new versions of its CodeSentry binary SCA platform
GrammaTech has unveiled a new version of its CodeSentry binary SCA platform that is available in three editions.
Unlike source-code SCA tools that only inspect components under development, CodeSentry analyzes the binary that executes to identify all components or vulnerabilities including those contained in post production applications.
Since most software vendors use components that contain open source software, CodeSentry identifies second, third and fourth party components regardless of where they enter the software supply chain by analyzing the final binary “as deployed”.
This allows organizations to identify vulnerable open source before it is incorporated into released products. Finally, CodeSentry detects and tracks N-day and zero-day vulnerabilities throughout the software lifecycle, supported by daily updates.
“CodeSentry is now available in three editions which allows customers to choose the application security capabilities that align with their requirements for software inventory, vulnerability assessment or security intelligence,” said Walter Capitani, Director of Technical Product Management for GrammaTech.
“Plus, with the SBOM Edition, organizations can inventory their software as a first step in implementing a proactive software supply chain security program to avoid fire drills caused by incidents like Log4j,” Capitani added.
CodeSentry editions
Each CodeSentry edition offers distinct capabilities to address the scale and maturity needs of an organization:
SBOM Edition: generates a software inventory to identify at-risk open-source components and assess licensing information to avoid compliance violations. Maintaining SBOMs for all applications enables organizations to proactively search for known vulnerable components and avoid the next open source “fire drill” like Log4j.
Security Edition: SBOM Edition capabilities plus identifies component N-Day vulnerabilities, provides security scoring for application risk assessment, assesses exploitability across components, and supports additional deployment and API options.
Advanced Security Edition: SBOM and Security Edition capabilities plus the ability to detect Zero-Day Vulnerabilities, support for advanced scanning to detect advanced N-Day weaknesses and packaging security assessment.
CodeSentry platform enhancements
In addition to the new tiered offerings, the latest version of CodeSentry features:
- A visualization dashboard that provides a comprehensive overview of artifact scanning and results across the CodeSentry instance
- Software component inventory search that finds vulnerable and exploitable components within or across scans to accelerate incident response and mitigate supply chain risks like Log4j
- Vulnerability intelligence which includes the ability to create a VEX export in CycloneDX format, allowing for easy sharing of vulnerability information
- Enriched security intelligence including new information on more than 2,300 vulnerabilities and 3,800 new components, with daily updates to its vulnerability database
- SBOMs that include a CPE (common platform enumeration) dictionary field and standard machine-readable formats for encoding names of IT products and platforms to help customers meet federal IT security compliance requirements