On November 2nd, Azul released Azul Vulnerability Detection, a new security product that intends to offer a solution to the increased risk of enterprise software supply chain attacks, compounded by severe threats such as Log4Shell. This SaaS-based product continuously scans for known security vulnerabilities in Java applications. In addition, they promise not to affect the application’s performance.
Azul Vulnerability Detection is a software composition analyzer (SCA), that intends to be the organisation's trial to take software supply chain security to the production environments. By doing so, it allows users to identify the actual point of use of vulnerable code, rather than just being present. In this way, it hopes to eliminate false positives.
The application doesn’t rely on agents for data collection, but instead uses forwarders: a component designed to enable the communication between JREs on an internal network and the cloud vulnerability detection software.
Presumably, they were built to be easily configurable to move through firewalls and segmented networks, and in this way be able to be used as the single control point for organisations to monitor traffic. By monitoring code executed based on real usage patterns recorded from any environment where its JVM is running (QA, development, or production), an organisation should be able to compare its usage patterns. Once in the cloud, the information is compared against a curated CVE database containing Java-related vulnerabilities.
Azul considered that by gathering data at the JVM level, it will be able to detect vulnerabilities in everything that runs on Java from built, bought, or open-source regardless if they are frameworks (like Spring, Hibernate, Quarkus, Micronaut etc.), libraries, or infrastructure (for instance Kafka, Cassandra, Elasticsearch).
More than just identifying vulnerable uses of the vulnerable code, the product comes with historical traceability forensics: the history of component and code use is retained, providing users with the forensic tool to determine whether vulnerable code was actually exploited prior to being known as vulnerable.
In order to make this happen, the Azul JVM is delivered with the Connected Runtime Service (CRS), which allows detection and communication with the Azul Vulnerability Detection Forwarder. It runs inside the Java process collecting information about the instance. Disabled by default, the CRS can be enabled either via command line arguments or an environment variable. The successful connection will be reported in the log files: [CRS.id][info] CRS authenticated: YOUR_UUID, once the logs are enabled. Support for configuring JVMs at scale is also provided: rather than configuring each JRE individually, each enabled instance will look up two DNS entries for the other properties. The host could be either the cloud tool or a forwarder. All the JVMs in a common network will connect to the cloud.
In a world where software development is more and more built by using open source components, Gartner, in its Emerging tech: A Software Bill of Materials is Critical to Software Supply Chain Management (September 6th, 2022) report, predicted that "by 2025 45% of the global organisations will have experienced attacks on their supply chain, a three-fold increase from 2021".
Almost one year since Log4Shell happened, Azul Systems aims to provide a solution to the increasing threat that supply chain attacks can pose. Their newly released SCA software aims to detect vulnerabilities where they happen: in the JVM.