SDLC Inventory

Modern software is complex, and the build and deployment infrastructure is accordingly complex.

Software is typically built and deployed into production environments using pipelines of commands. A build/deploy pipeline is based on a set of automated processes and tools, involving source control, build tools, continuous integration, testing automation (unit, integration and regression testing), validation, reporting, and distribution.

The assets involved in build/deploy pipeline are named SDLC assets, and in the Xygeni platform an inventory of SDLC assets, for the pipelines used in an organization, is discovered automatically.

Security issues and unusual activity events, as captured by the Xygeni platform, are then mapped to the target SDLC assets.

An SDLC Asset may present misconfigurations, leaked secrets, vulnerabilities and other security issues, and could be abused in software supply chain attacks. Common assets are code repositories, dependencies graphs, package managers, build files, security tools, CI/CD workflows, or IaC templates and provisioning scripts, along with the infrastructure, tools and extensions (like "plugins") used in the build / deploy pipelines.

Security issues and unusual activity events, as captured by the Xygeni platform, are mapped to the target SDLC assets. The Inventory allows to reveal unknown, misconfigured and vulnerable SDLC systems and infrastructure, and perform impact analysis: dependencies between assets may be exploited by attackers to propagate the attack payloads.