Deepfence brings ‘attack path’ visualizations to ThreatMapper vulnerability platform

Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Security observability platform Deepfence has introduced a handful of updates to ThreatMapper, its open source tool for finding and ranking software vulnerabilities.

By way of a brief recap, Deepfence helps secure cloud-native workloads across serverless, Kubernetes, container, and multi-cloud deployments — companies such as Amyris, Flexport, and Harness use it to analyze network traffic, running processes, file-system integrity, and more. In addition to the core commercial enterprise product known as ThreatStryker, Deepfence also ships a community edition called ThreatMapper, which has been available under an open source license since October.

ThreatMapper scans runtime environments for vulnerabilities across the software supply chain, enabling companies to contextualize threats and prioritize the most urgent ones — this covers both proprietary and third-party (e.g., open source) applications and components. It’s built on top of dozens of community feeds, such as the National Vulnerability Database (NVD), while it also funnels data from various databases, operating system distributions, language maintainers, and repositories.

Attack path visualizations

With the world still reeling from the far-reaching Log4j vulnerability, Deepfence is now looking to bolster ThreatMapper with additional smarts that make it easier to visualize and prioritize bugs it identifies.

The new “attack path” visualization, for example, displays the top three to five vulnerabilities in a single graphic, illustrating the route a bad actor might take to exploit a vulnerability in a production application. This helps developer and security teams take appropriate action, such as limiting the exposure using a web application firewall until further testing has taken place.

This is all about helping to find vulnerabilities that might exist further downstream, ones that that weren’t known about when a company first deployed an application or update.

Related to this, Deepfence has also tweaked the calculation it uses to establish the most exploitable vulnerabilities, placing greater weight on network accessibility and the number of live network connections that exist to the impacted workloads. This is designed to give a more “representative assessment of the relative risks of high-severity vulnerabilities,” the company said.


Data suggests that attackers are going further upstream toward the origins of open source code, as this offers a more scalable means to distribute malware down through the software supply chain. This is why many companies have been shifting their security efforts “left.” But the fact of the matter is that vulnerabilities exist in production software — and this is what ThreatMapper is ultimately striving to tackle.

“By making it easier to scan and identify critical vulnerabilities both pre- and-post-deployment, the ThreatMapper project is becoming essential software for securing the software supply chain and identifying vulnerabilities in production,” Deepfence’s head of products and community Owen Garrett said in a statement. “By open sourcing and adding new features to ThreatMapper, Deepfence remains committed to building the best solution possible for the benefit of all industries.”

Elsewhere, Deepfence has also ported a feature from its enterprise-grade ThreatStryker product to ThreatMapper — support for AWS Fargate, Amazon’s serverless compute product for containers.

Other notable updates include added support for Google’s Chronicle security analytics platform, meaning that ThreatMapper now caters to a broader range of notifications, SIEM, and ticketing integrations, while ThreatMapper can push vulnerability scan results and audit logs to Google Chronicle. And the ThreatMapper community (i.e., not Deepfence itself) has developed support for ARM processors, which opens ThreatMapper up to more observability use cases.

Originally appeared on: TheSpuzz