DEVOPSdigest

Azul announced an enhancement to Azul Intelligence Cloud, a capability in Azul Vulnerability Detection that brings precision to detection of Java application security vulnerabilities.

Azul Vulnerability Detection uses class-level production runtime data to detect vulnerabilities. This enables organizations to focus only on the code paths that are actually used, delivering 100x to 1,000x reduction in false positives compared to other tools, empowering DevOps teams to prioritize and remediate real risks faster, improve security posture and dramatically boost developer productivity.

Azul Intelligence Cloud is a cloud analytics solution that provides actionable intelligence from production Java runtime data to dramatically boost developer productivity. Its Vulnerability Detection capability identifies and prioritizes known security vulnerabilities in Java applications in production with 100-1000x greater accuracy than traditional AppSec or APM tools. It uses a curated knowledge base mapping CVEs to classes used at runtime to pinpoint vulnerable components for prioritization and remediation, eliminating up to 99% of false positives and dramatically boosting DevOps productivity. As an example, a recent ‘Critical’ severity vulnerability, CVE-2024-1597, in specific 42.x versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver allows attackers to perform a SQL injection attack. This CVE scores 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) and applies in the relatively uncommon case when the driver is used in a specific non-default mode. Traditional AppSec tools issue a security alert when the component is present even if it’s unused or used in the (safe) default mode, resulting in false positive alerts and precious developer hours being spent remediating code unnecessarily. Vulnerability Detection is orders of magnitude more accurate because it detects at runtime if one or more of the 11 vulnerable classes associated with the CVE out of the 470 total classes in the component are actually used in production.

Azul Vulnerability Detection delivers additional key benefits across an enterprise’s entire Java estate:

- Efficiently triages new vulnerabilities – delivers continuous, real-time detection of Java vulnerabilities in production, enabling DevOps teams to quickly triage and prioritize critical issues, especially during high-impact events like Log4j. This reduces time spent on false positives and minimizes disruption, allowing teams to stay focused on higher-value work.

- Real-time and historical analysis, accelerated by AI – retains component and code-use history, focusing forensic efforts to determine if vulnerable code was actually exploited prior to it being known as vulnerable. It continuously detects known vulnerabilities and precisely catalogs code in production to focus scarce human effort. Azul’s vulnerability team uses AI to quickly identify Java-specific CVEs from the NVD (National Vulnerabilities Database) and other sources and updates the Azul Vulnerability Detection Knowledge Base with newly published vulnerabilities.

- Production monitoring for Oracle JDK and any OpenJDK-based JVM – takes advantage of production runtime data from Oracle JDK and any OpenJDK-based JVM, independent of vendor or distribution – including Azul, Amazon, Temurin, Microsoft, Red Hat and more – to improve overall DevOps productivity.

- No performance impact in production – leverages Java runtime data that exists within a JVM when running the application, resulting in no performance impact, something not possible using any other tool.

“Our mission is to help enterprises focus their security efforts on what matters — real risk, not noise,” said Scott Sellers, co-founder and CEO of Azul. “By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritize real risk and accelerate remediation — all with zero impact to performance and without slowing innovation.”