Ox.security is a SaaS(Software as a Service) plug-and-play platform that ensures the security and integrity of the modern CI/CD pipelines from code to cloud - continuously protecting from supply chain risks like OpenSSL, Log4j, SolarWinds, and other build-stage vulnerabilities which had followed the rapid transformation to agile development, microservices, and Open Source integrations.
Salient features of Ox.Security
Automatically block risks introduced into the pipeline and ensure the integrity of each workload, all from a single location.?
Discover:
- Full visibility and end-to-end traceability over your software pipeline security from code to cloud.
- Manage your findings, orchestrate DevSecOps activities, prevent risks and maintain software pipeline integrity.
Prioritize:?
- Remediate risks based on prioritization and business context.
- Automatically block vulnerabilities introduced into your pipeline.
- Immediately identify the "right person" to take action on any security exposure.
Secure:?
- Close Gaps in Security Tooling & Coverage
- Avoid known security risks like Log4j and Codecov.
- Prevent new attack types based on proprietary research and threat intel.
- Detects anomalies like GitBleed.
Automate:?
- Improve CI/CD Security & Processes
- Ensure the security and integrity of all cloud artifacts.
- Undertake security gap analysis and identify any blind spots.
- Auto-discovery and mapping of all applications.
- Most tools generate SBOMs but their mission is to prevent attacks across the software supply chain and to ensure the security and integrity of each build
Strengths
- OX security tools (proprietary and open source) are enabled to cover all categories across SDLC from Source code to runtime.
- Extended Source Control Management (SCM) platform integration including GitHub, GitLab, bitbucket, azure repo etc
- Integration is available for many popular CI tools such as jenkins, GitHub Action, Azure DevOps, Circle CI, and Gitlab.
- Option to integrate existing commercial security tools such as Synk for SCA, Checkmarx for static code analysis or Prisma for Cloud Security Posture Management(CSPM), another commercial toollike SonarQube, and Veracode, Mend(WhiteSource) etc.
- OX also leverages open-source tools such as Trivia for SCA or Bendit for static code analysis, Chekov for IaC templates, GItsecerts for secrets, and many more.
- Comprehensive dashboard with a detailed view of SecOps including vulnerability management
- Does provides a policy and exclusion dashboard to mark the false positives and tune the vulnerability policy to sensitise the priority
My Observations
Here is my observation after using the platform which it covers both the pros and cons
Good
- Multi-Source Control Integration Available like GitHub, GitLab, Bitbucket, and Azure Repo
- Easy plug-and-play integration. We can set up the entire platform with a couple of clicks and authorization.
- Supports open-source as well as Commercial versions of various security tools
- On the road-map, additional tools may be integrated with OxSecurity
- Priorities on the pre-defined policies can be modified based on the requirement
- Exceptions can be raised when its a false positive against a repo or across all repo
Areas for Improvement
- There should be at least one tool for Vulnerability Assessment, APIs, User Directory, Big Bounty, Dev Alerts, and Training.
- Although additional tool integration is in the roadmap, there is no ETA. May get abandoned
- Can not add customized policies. Only the box policy priority can be changed or enabled/disabled
- Lacks DAST, IAST. But we can Integrate Veracode DAST with the platform
- Out-of-the-box support for Cloud Security Posture Management(CSPM)- Prowler(open-source) is available only in the AWS cloud. No Support for Cloud specific security tools such as Azure Defender, GCP SecOps
Reference:
- https://www.ox.security/
- https://venturebeat.com/security/sbom-devsecops-pbom/
- https://github.com/oxsecurity/megalinter/
- https://www.ox.security/the-anatomy-of-a-pbom/?
- https://marketplace.visualstudio.com/items?itemName=oxsecurity.ox-ide
