In our earlier blog on agentless SBOM, we explored how Wiz automates SBOM creation at the runtime level. These SBOMs give Wiz users access to crucial information on all OS packages, open-source libraries, and their versions, providing instant visibility. To facilitate compliance, Wiz also offers the option of exporting reports in standard formats such as CycloneDX and SPDX. Wiz is now extending its capabilities to make it possible to search for a library or package as well as its version, enabling users to quickly find out where a package or library is deployed across their cloud environments. This makes it easy to identify obsolete or vulnerable libraries and the resources on which they are installed, so you can understand the risks and define a remediation plan.
Challenges to navigate in the complexity of application stacks
Understanding the deployment landscape of open-source packages and libraries in cloud environments poses significant challenges for modern organizations. In dynamic cloud infrastructures, applications often rely on numerous proprietary or open-source libraries and packages, each with dependencies. Moreover, they change often, whether to add a new feature or fix a bug. As a result, companies face several risks if they don't have in-depth knowledge of where these components are deployed. Firstly, there is a lack of visibility over what is deployed, as most tools generate SBOMs at the code level. There may, therefore, be a delta in what is in production. Secondly, security vulnerabilities in obsolete libraries or packages can go undetected, leaving systems open to exploitation. The same applies to the identification of 0-day vulnerabilities, potentially exposing resources.
Regarding compliance, requirements call for meticulous tracking of all software components, which requires a clear understanding of where they are deployed. Finally, operational efficiency is hampered when troubleshooting or updating applications, which becomes tedious due to the lack of visibility over dependencies and underlying versions. Knowing exactly where packages and libraries are deployed is essential for security, rapid protection against 0-day vulnerabilities, compliance, and operational excellence in cloud environments.
Let’s take the case of the recently found backdoor in xz-utils, a data compression library affecting OpenSSH. Under some conditions, the vulnerability (assigned CVE-2024-3094) may allow RCE via SSH authentication in specific versions of certain Linux distributions. Scoring a full 10.0 on the CVSS calculator, this critical vulnerability has put every security team’s ability to react quickly to the test.
Introducing Wiz's agentless SBOM search
Wiz addresses these challenges by providing organizations with a centralized and comprehensive view of their software bill of materials (SBOM) across cloud environments. Using its agentless approach, Wiz scans all resources, active or not, and detects all installed technologies. The Wiz sensor also validates packages and libraries that are in use at runtime. It enables users to easily access critical information about deployed packages and libraries and where they're in use. The result is a complete and constantly updated inventory, enabling organizations to identify the full spectrum of software components in use.
The platform's comprehensive search capabilities make it easy for users to find important information, such as a particular version of Log4j, OpenSSL, or xz-utils, and to identify the resources where they are deployed. Managing dependencies becomes straightforward when users can identify where End-of-Life (EOL) or End-of-Support (EOSL) versions of libraries or packages are located. With this information, organizations can draw up targeted update plans to address potential security vulnerabilities and ensure compliance with regulatory requirements.
Being able to identify where an obsolete version of a library is and where it has been deployed in our environment has always been a challenge for my team. With Wiz, they can now do this easily, enabling us to know which workloads need updating quickly.
Tiago Bernardinelli, Head of Cloud Engineering, Digibee
Finally, how do you know the impact on your environment when a 0-day vulnerability like xz-utils is announced (or is about to be announced)? Luckily, Wiz facilitates triage by enabling organizations to quickly identify all the resources (e.g., container images, VMs) where versions 5.6.0 and 5.6.1, containing the maliciously injected backdoor, have been deployed. In addition, SBOM search combined with Wiz context allows filtering if the resource is publicly exposed, has high privileges, and more. This capability enables security teams to quickly assess potential exposure and take decisive action to mitigate risk.
This is yet another step taken by Wiz to help you secure your supply chain. But we’re not stopping there. Wiz also plans to cover the identification and generation of alerts on non-commercially permissive open-source software licenses to ensure the code used by your developers does not violate one of them.
For more information on how Wiz can transform your SBOM management practices and elevate your cloud security posture, we invite you to explore our documentation (login required). Additionally, our team can provide personalized demonstrations tailored to your specific needs and challenges. Contact us today to schedule a demo and discover the full potential of Wiz for your organization.
