Transforming Application Security: Introducing Software Lineage

In application development, keeping track of where software is deployed, which versions are running, and ensuring they're secure pose formidable challenges. A vast majority of teams still depend on manual processes, using spreadsheets and documentation to catalog their Apps and APIs. One recent report outlines that 74% of companies are still using traditional documentation and 68% relying on spreadsheets to catalog their apps and APIs. As deployment velocity increases, driven by AI-assisted coding and a push for greater developer autonomy, the complexity of accurately managing these deployments intensifies.
July 23, 2024

In application development, keeping track of where software is deployed, which versions are running, and ensuring they're secure pose formidable challenges. A vast majority of teams still depend on manual processes, using spreadsheets and documentation to catalog their Apps and APIs. One recent report outlines that 74% of companies are still using traditional documentation and 68% relying on spreadsheets to catalog their apps and APIs. As deployment velocity increases, driven by AI-assisted coding and a push for greater developer autonomy, the complexity of accurately managing these deployments intensifies.

When Heeler embarked on this journey, one initial goal was clear yet daunting—automate the tracking of software deployments to a precision never before considered possible. Skeptics doubted, claiming "That just isn’t possible." Nonetheless, our resolve was firm, propelled by the urgent need to answer critical questions in vulnerability response processes:

  • Which services (or code bases) are affected?
  • Where is this code deployed, containerized or otherwise?
  • What changes are required, and who will implement them?
  • When and how were these changes deployed?

Heeler's answer to these challenges is our pioneering solution: Software Lineage.

The Revolutionary Approach of Software Lineage

Heeler’s innovative software lineage technology automates the tracking of software deployments and manages the lifecycle of security issues in real-time—without the need for updating builds, tracking external sources, or deploying agents to machines running the software.

Leveraging our team’s profound expertise across programming languages, we developed a unique algorithm to correlate deployed software artifacts back to codebases.

As Heeler finds changes to the source code it develops a unique fingerprint for that changeset by analyzing the source code for language features, which we are calling structural features. Structural features include: what functions or methods are defined, what are the arguments of those functions or methods, what are the return types, what variables are defined, what dependencies are used, and finally where do all of these structural components exist in the code base. These structural features build the unique fingerprint of the codebase at a specific changeset.

Heeler then inspects the binaries, containers, and software packages to complete a similar fingerprinting process, in a reverse engineering operation, to extract the same features.

Starting with the deployed service and correlating back to the code and changeset that built it is done by prioritizing and scoring the matches, removing certain mismatches, and completing a second level of correlation using other features that are native to its deployment or packaging. The output of this is a confidence score that can be used to find the correct source of the software artifact.

The amazing part of this: It doesn’t matter what libraries, components, or features of the language that you use within your software nor how it is deployed: our Software Lineage capabilities can correlate deployments to code across VMs, containers, and even Serverless functions.

Our advanced correlation matching algorithm compares the deployed or running software with its originating codebase, enabling Heeler to:

  • Associate deployed software artifacts back to the repository and precisely identifies the changeset from which the code was developed.
  • Detect "shadow builds" – Software artifacts that were not built from any recorded change in the source, highlighting potential security risks.

Streamlining Security Management Across Deployments

By utilizing the correlation process to determine the exact changeset, Heeler not only pinpoints the deployed software but also blends all security signals detected in the runtime environment with those from the codebase. This holistic security view is crucial, as infrastructure and software are inherently linked in application security.

This capability provides Heeler with:

  • Complete lifecycle management of security issues, starting with the contributors through commits and builds, how it travels through each and every environment all the way to production.
  • The ability to prioritize security concerns effectively by blending code, deployment, business, and application contexts.

In addition, Heeler’s software lineage system is designed to operate in real-time, updating application lineage as new updates are rolled out across your cloud footprint. We detect changes made in the source code, fingerprint each changeset, and continuously update our scalable fingerprint database to support even the largest organizations. Heeler detects changes in cloud environments through different infrastructure events and completes the fingerprinting process every time that a change is detected.

Now instead of Infrastructure graphs, you can visualize Application and Service graphs which include the code of the service, databases, network access control lists, identity, service-to-service communication, and more:

Beyond Security: Ensuring Compliance and Best Practices

With Heeler, organizations gain real-time visibility into their security posture, with the ability to answer pressing questions about their deployments:

  • Where is this service deployed, and how extensive is its presence across my cloud footprint?
  • What percentage of these services are running in our production (or high-security) environments?
  • Have all identified security issues been fully remediated?
  • Are any deployments experiencing issues or non-compliance with best practices?

Heeler’s technology doesn’t just inform you where issues occur; it also tracks how far along they are in their remediation process—from detection to fix and deployment. This not only streamlines the process of resolving security issues but also ensures adherence to best practices and organizational standards across all deployments.

Join the Heeler Revolution in Application Security

At Heeler, we're not merely solving today's problems; we're redefining what's possible in application security. Stay connected with us through LinkedIn and follow our journey as we continue to innovate and lead in securing applications across diverse environments. Heeler is here to transform application security, ensuring your applications are secure, resilient, and ready for the future.

What’s new on Heeler
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See the Platform Live
Subscribe
Share this content
Trever McKee
Chief Technology Officer

Related resources

See All Resources
Blog
September 12, 2024
The Need for Continuous and Agile Threat Modeling
In today’s agile development landscape, where cloud-based software is constantly evolving and deployed at unprecedented speed, traditional, manual threat modeling is no longer enough. As development teams iterate quickly and deploy in real-time, requirements and architecture changes rapidly, creating potential gaps in security that static threat models simply cannot keep up with. This has paved the way for continuous and agile threat modeling—a real-time approach to identifying, assessing, and mitigating risks early in the software lifecycle.
Blog
September 10, 2024
Revolutionizing Application Security: The Heeler Story
At Heeler, we’re not just building a product; we’re reshaping the future of application security. In today’s rapidly evolving digital landscape, the traditional approach to security has reached its limits. As applications grow more complex and threats become more sophisticated, the need for a unified security approach that integrates code, runtime, and business context is more critical than ever.
Blog
September 3, 2024
The Challenges of Decomposing Cloud-Based Applications (and How to Implement Agile and Continuous Threat Modeling)
In the fast-paced world of software development, the adoption of agile methodologies and continuous delivery practices has revolutionized how applications are built, deployed, and maintained. In an agile environment, where code and cloud are constantly changing and new features are continuously being integrated, threat modeling needs to be just as agile and continuous. The idea is to ensure that security is built into the development process rather than bolted on as an afterthought.
Blog
August 27, 2024
Solving Prioritization for Application Security
Security prioritization has become an overwhelming challenge for organizations, as they try to manage an ever-expanding application footprint alongside an increasingly sophisticated threat landscape. In 2024 alone, we've seen a 30% year-over-year increase in reported CVEs through July, according to the Qualys Threat Research Unit. The rise of AI-assisted coding—often trained on the same vulnerable code we're trying to defend against—likely exacerbates this issue even further.
Blog
August 21, 2024
Unifying Threat Modeling, Lifecycle Management, and Response Orchestration: How Heeler Redefines Application Security
In today’s complex digital landscape, application security can no longer be handled with a siloed approach. Modern applications require a comprehensive strategy that integrates multiple security disciplines into a seamless process. At Heeler, we understand that to effectively manage and mitigate risks, security needs to be woven into every stage of the software development lifecycle (SDLC). This is why we've built a platform that unifies threat modeling, lifecycle management, and response orchestration into a cohesive system.
Blog
August 20, 2024
How Customer Feedback Shapes What We Build at Heeler
At Heeler, we believe that the best products are built in collaboration with those who will use them. From day one, our mission has been to create a transformative application security platform, and we knew that achieving this would require more than just innovative ideas and advanced technology. It would require deep, ongoing engagement with the very people who face the challenges we aim to solve: our customers.
Blog
August 9, 2024
Black Hat USA 2024 Recap: What We Heard from AppSec Leaders
At Heeler, we had the privilege of connecting with many AppSec leaders at Black Hat USA 2024. It was clear that despite advancements, significant pain points remain.
Blog
August 4, 2024
Announcing the Launch of Heeler's Advisory Board
These industry veterans bring diverse perspectives and deep insights into application security, and we're excited to collaborate with them as we continue to innovate and transform the field. Their guidance will be invaluable as we strive to maximize the impact of application security teams and developers with unified code, runtime, business, and security context.
Blog
August 2, 2024
Heeler: Loyalty, Resilience, and a Commitment to Excellence
The name "Heeler" was inspired by the remarkable traits of the Blue Heeler dog, a breed known for its intelligence, loyalty, and tenacity. Two of our co-founders, James Green and Trever McKee, both own Blue Heelers and have long admired these dogs for their unwavering dedication and keen problem-solving abilities.
Blog
July 24, 2024
The AppSec Context Gap - Code, Runtime, and Business
The Heeler team dedicated several months collaborating with research partners from various organizations to identify the most significant gaps in application security. A recurring theme emerged: the absence of context was a major issue, and obtaining this context was costly, often necessitating the involvement of key personnel from both security and development teams. Furthermore, this substantial time investment did not yield lasting value due to the dynamic nature of applications in cloud and agile environments, rendering these context investigations transient and expensive.
See All Resources
Platform
PlatformUnderstand Risk in ContextSecure by DesignIntegrations
Use cases
Response OrchestrationProductDNALifecycle ManagementThreat ModelingASPM
Resources
Resources HubFAQTrust CenterDocumentationPricing
Company
CompanyContact UsCustomer SupportSubscribe
© 2024 Heeler
Privacy Policy
Terms and Conditions
Cookie Policy
Cookie Preferences