The No-Blind-Spot Software Supply Chain: How Oligo Sees It All

Securing the software supply chain has always been messy, because the supply chain itself is messy. 
Modern, cloud-based applications rely on open source packages, third-party software purchased from vendors, and operating systems … but the supply chain complexity doesn’t end there. Every application used in the software development lifecycle—from developers’ IDEs to CI/CD tools and testing solutions—represents another link in the chain.

With that much complexity, supply chain security solutions are usually limited to seeing one part of the whole picture.
SCA solutions see open-source libraries. CNAPP solutions see cloud infrastructure. But what sees your third-party applications—and how can you tell if you’ve been compromised by malware that hasn’t even been named or identified yet?

Supply Chain Blind Spots

The biggest blind spot for most organizations is their vendor-sourced third-party software. You can’t see the source code, so the vast majority of static scanning tools (which rely on source code) can’t see inside.
There’s no way to run a modern enterprise software organization without relying on third-party applications—so everyone uses workarounds, most notably the SBOM.
But SBOMs have limitations:

• Blind spots: Just like you can’t see into your third-party applications, vendors can’t see into theirs to give you full information about every component of every application they use.
• Out of date: SBOMs are inherently a point-in-time view of software. They aren’t always updated every time the components in an application change.
• Lack of context: SBOMs don’t tell you which vulnerable components are actually used by the application, and which ones are never even loaded (which means they couldn’t be exploited). This means it’s hard to tell which vulnerabilities from which vendors actually matter.
• Trust: When you rely on a third-party SBOM, you’re trusting your vendor to check everything they can and to accurately report the contents of their software—a trust that may not always be deserved.

These limits go a long way toward explaining why SBOMs haven’t really lived up to the hype they generated when they first became available. Far from solving the supply chain problem, SBOMs have added to the layers of trust and complexity needed to evaluate the supply chain.

Third-party software isn’t the only place where new supply chain issues can be introduced. Build artifacts can represent a huge amount of information in your application, but static scanning tools typically have no visibility over these artifacts. Even binary scanning applications that can see third-party applications or build artifacts can’t contextualize them or detect unknown compromises—so it’s impossible for them to identify pre-disclosure or undisclosed supply chain exploits, or identify which applications are being actively exploited.

High Visibility, Low Overhead: Oligo Sees Your Whole Supply Chain

We built the Oligo Application Defense Platform to see every link in the software supply chain. Every third-party application, every build artifact—all contextualized with full information on exactly how your components are used at runtime.

The platform’s “secret sauce” is in our sensor. Other eBPF-based products use eBPF sandboxing to see applications as a whole. We’ve finetuned our sensor (using patent-pending innovations) to see deeper, into libraries and their individual functions.

With our ability to detect anti-patterns and indicators of compromise, the Oligo Application Defense Platform can alert you not only to known supply chain compromises, but even ones that have not yet been named or researched. When the XZ Utils backdoor was discovered, we found that our existing detection rules would have found it with no changes, if any of our customers had run an application containing the backdoor—fortunately, none of them were running the bad OS packages containing the malicious code.

The Oligo sensor is fast to deploy (hours, not months), then requires minimal ongoing maintenance or support after deployment—and runs with <1% technical overhead.

Protecting Your Supply Chain: Proactive Steps

We won’t stop at just detecting supply chain compromises. We want to stop application breaches instantly—which is why our sensor can now take protective steps as well.

Using detection rules built on our library profiles and on common exploitation paths, you can stop malicious code from running in your application non-disruptively, allowing your software to function normally while preventing malicious activity. This gives developers time to apply patches or workarounds, without disrupting operations or impacting SLAs.

We were named the world’s Best Software Supply Chain Solution for a reason—Oligo works unlike any other tool in the market to understand the supply chain better than anyone else. 

Talk to us today to learn how to see your supply chain like never before.