New capabilities are designed to improve visibility into source code repositories within GitHub, and GitLab.
Cybersecurity provider Orca has added new source code posture management capabilities to its cloud security offering by adding support for popular source code management (SCM) platforms.
The new capabilities are designed to round out Orca’s cloud security offering by adding protection over the CI/CD pipelines and offering additional visibility into source code repositories during development.
“With integrations for popular SCM tools like GitHub and GitLab, Orca is expanding its cloud security footprint, providing end-to-end coverage from source code platforms to the cloud and defending against cloud native risks for the entire development lifecycle,” the company said in a press statement.
The new capabilities are already available to customers as part of Orca’s cloud security platform within their existing subscriptions.
Securing source code repositories
GitHub and GitLab repositories housing source code represent a significant risk to the business when not properly configured and secured. While existing DevSecOps and AppSec practices are effective in code security, they may lack proper tooling to identify and fix SCM account misconfigurations.
“The focus to-date on the security risks of CI/CD and Git tools have been mainly around the ‘poisoning of the well’ tactic with malicious public repositories that pose as valid, popular repos, or user error and the amount of secrets and sensitive data living in Git tools,” said Story Tweedie-Yates, head of product for RAD Security. “But recently, a group of pen-testers also tested out the security of the configurations of the Git tools themselves and found a litany of problems. For example, self-hosted runners for GitHub actions allow, by default, any repo contributor to submit a fork/pull request.”
Orca’s new capabilities promise a detailed, auto inventory of all existing as well as newly added repositories combined with the referencing of trusted third-party standards such as open source security foundations (OSSF) and Legitify to identify misconfigurations, security risks, and deviations from best practices within the SCM.
“Orca’s announcement is in line with the new wave of issues in terms of configuration for source code and Git tools,” Tweedie-Yates added.
Building on existing capabilities
Orca also said it’ll use its proprietary Side-Scanning technology — an agentless solution that collects data directly from the runtime block storage of cloud workloads and combines this with metadata from cloud provider APIs — to identify risk hotspots within their SCM platforms.
“While other cloud security players with similar legacies in CSPM foray into cloud detection and response and runtime agents (e.g. Wiz’s acquisition of Gem Security), with this move, Orca is expanding on its posture-only capabilities, relying even more heavily on its side-scanning technology to increase breadth across the software supply chain,” Tweedie-Yates said.
Additionally, Orca said it is implementing remediation and workload integration which will enable it to deliver comprehensive remediation instructions for every alert, speeding up response time for security as well as development teams.
“It might appear that, in the context of its recent partnership announcement with Aqua Security, with its mature runtime capabilities, Orca is making a focused bet on posture versus real-time scanning or response,” Tweedie-Yates added.
