Introduction
Root is a two-sided SaaS application security platform that enhances transparency and trust in application security by seamlessly linking software producers with consumers. Its main objective is to streamline the security verification process, enabling quicker acceptance of software releases through clear communication and effective collaboration. This platform empowers producers to share critical security information confidently and assists consumers in efficiently verifying these details, speeding up the deployment process and fostering mutual trust.
Background
In the software supply chain, both producers and consumers of software encounter significant challenges due to a need for more transparency and trust in the validation and acceptance of software security. Research shows that vulnerabilities and security threats are growing at an accelerating rate. Producers face escalating operational costs as they respond to an ever-increasing volume of security inquiries from a growing consumer base. This diverts developers from innovation and adds a substantial financial burden with each software release. Similarly, consumers are mired in ongoing verification processes, struggling to interpret security scans without sufficient context from producers.
The dynamic nature of today's software economy demands a degree of agility and transparent operations that traditional security approaches often fail to provide. Producers are pressured to prove the safety of their applications swiftly and transparently to maintain competitive advantages, while consumers require assurances of software integrity to protect their operations and data.
The core issue is a cycle of distrust and opacity that escalates with every new software version, adding to the financial and business risks for producers and security risks for consumers. Each information gap can signify a threat or compliance risk, highlighting the urgent need for a transformative approach to communicating and managing software security.
Root: How it works
Within the software producer's environment, Root integrates easily with tools like vulnerability scanners, ticketing systems, code repositories, and CI/CD systems, simplifying the collection of security data. This allows for aggregating and organizing security information, such as vulnerability findings from security scanners, software release details, and contextual information, which are crucial for a comprehensive understanding of the security posture of current and upcoming releases.
Central to Root’s functionality are workflows and tools that help development and application security teams accurately identify actual threats versus false positives. This precision is essential for assessing the relevance of vulnerabilities based on specific software component use, system configurations, application design, etc. The platform's "triage center" is a central hub where software developers and security teams can view and manage security details organized by software release, drawing focus to the most critical findings.
In the triage center, each security issue is reviewed and categorized using VEX status fields to indicate its relevance and state. The triage center also provides extensive collaboration features, enabling team members to strategize and discuss significant findings, related analysis, and status. Producers can manage which triage center information is shared with consumers. This ensures tailored communication and collaboration between producers and consumers while keeping sensitive preparatory information confidential until relevant.