Black Kite Unveils Software Supply Chain Vulnerabilities at Product Level
▼ Summary
– Black Kite has launched a new Product Analysis module for granularly assessing the risks of third-party software products.
– This module provides detailed intelligence through downloadable software (CPE), SaaS subdomain, and SBOM analysis.
– It addresses the gap where a vendor’s overall security posture does not guarantee the safety of each individual product they offer.
– The analysis helps teams make more confident software decisions and enables stronger, targeted monitoring and mitigation actions.
– It supports compliance for regulated industries by performing required assessments like SBOM analysis in line with directives such as EO 14028.
Black Kite has introduced a groundbreaking module designed to pinpoint software supply chain vulnerabilities at the individual product level, offering security teams unprecedented granularity in third-party risk assessment. This new Product Analysis capability moves beyond traditional vendor evaluations to scrutinize specific software applications and services. By delivering detailed intelligence on potential exposures, it empowers organizations to make more informed decisions regarding vendor relationships and internal security protocols.
Candan Bolukbas, the company’s Chief Technology Officer, emphasized the critical need for this focused approach. He noted that while vendor security postures are important, they don’t always reflect the safety of every single product in a portfolio. This new module bridges that gap by providing precise, actionable insight into where vulnerabilities actually exist, whether within SaaS platforms or deeper software supply chain dependencies. The goal is to enable targeted defensive actions before latent risks turn into active security incidents.
The tool enhances traditional vendor analysis by allowing teams to assess individual products, thereby gaining a clearer picture of associated supply chain threats. This process aims to improve both the speed and the accuracy of product security evaluations.
To build a comprehensive risk profile, the module synthesizes data from several advanced analysis methods:
Downloadable Software Analysis (CPE): This function links software products to their original vendors. It then calculates a risk rating, categorized as low, medium, or high, based on factors like known Common Vulnerabilities and Exposures (CVEs), active exploits, security certifications, and whether the software has reached its end-of-life.
SaaS Subdomain Analysis: This technique identifies and catalogues subdomains associated with Software-as-a-Service applications. It correctly associates these digital assets with their parent company and assesses each for vulnerabilities and potential exploit paths.
SBOM Analysis & Mapping: A crucial component for modern software risk, this analyzes the open-source components and dependencies embedded within third-party software. It helps uncover hidden vulnerabilities and complex, nested dependency chains that could pose a threat.
For Third-Party Risk Management (TPRM) teams and security leaders, the module clarifies product-level risk exposure, delivering several key advantages. It supports more confident decision-making during software evaluation and onboarding processes. The tool also enables stronger ongoing monitoring by providing precise insights that can drive specific mitigation actions, such as mandating software upgrades or configuration changes.
Furthermore, it aids in compliance for organizations in federal and regulated sectors. These entities often have mandates, like those outlined in Executive Order 14028, requiring thorough Software Bill of Materials (SBOM) analysis and comprehensive risk assessments.
Ultimately, Product Analysis allows TPRM teams to seamlessly evaluate risks in both the software they directly use and the applications relied upon by their own third-party partners. This holistic view helps organizations prioritize mitigation efforts and strategic vendor communications, effectively reducing potential exposure and impact from software vulnerabilities.
(Source: HelpNet Security)
