Azul, the Java platform provider for the modern cloud enterprise, has announced an update to the Azul Intelligence Cloud. The solution enhances the DevOps process by providing actionable intelligence from production Java runtime data. The solution supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.
The Azul Intelligence Cloud now includes two new services, the Azul Vulnerability Detection and Code Inventory. The Azul Vulnerability Detection solution continuously monitors Java applications to detect vulnerabilities. It uses an up-to-date Java-specific CVE (Common Vulnerabilities and Exposures) database in the cloud. The Code Inventory module enables organisations to identify how frequently a piece of Java code is run. It also highlights unused and dead code for potential removal.
Scott Sellers, co-founder and CEO of Azul, commented, “Today’s businesses are under relentless pressure to innovate, accelerate time-to-market and fortify application security, all while grappling with resource constraints. Azul Intelligence Cloud is a game-changer. Using the information already inside JVMs running in production, Intelligence Cloud provides unprecedented precision and the intelligence needed to solve two significant DevOps challenges – alert fatigue from an intractable vulnerability false positive backlog and technical debt from maintaining unused code.
“We’re excited to extend these capabilities across all an enterprise’s Java application fleet, regardless of JDK vendor or distribution, to dramatically slash time from unproductive tasks and multiply DevOps productivity.”
Enhancing Security
As organisations look to transform and become increasingly flexible in operations, IT teams must develop the same flexibility to adjust to these demands. However, this flexibility can sometimes be at the expense of efficiency and security.
Azul Vulnerability Detection addresses the first of these challenges. The solution runs in production without impacting the live system by efficiently collecting runtime data. It identifies when vulnerable code is used rather than just present. Which focuses on human interaction where it is most needed.
The platform supports frameworks such as Spring, Hibernate, Tomcat, Quarkus, Micronaut, Kafka, Cassandra, Elasticsearch, Spark, Hive, Hadoop, and others. It can be used on any code, whether bought built or for regression testing after changes. The platform accesses a CVE Knowledge Base which consists of four elements:
- CVE Databases
- Code Repositories
- Publicly Disclosed information
- Privately Disclosed information
The code that is run is compared against this knowledge base, and vulnerabilities are highlighted. The Azul JVMs connect to the Azul Intelligence Cloud Service through a forwarder. This leverages a secure proxy between the customers’ environment and the Intelligent Cloud service, with all data encrypted using SSL in transit.
Benefits of Azul Vulnerability Detection
Azul highlights three key benefits that Azul Vulnerability Detection delivers:
- Eliminate Vulnerability False Positives: Vulnerabilities are highlighted based on the risk posed to the organisation. Reducing security backlog and enabling development teams to keep code secure.
- Efficiently Triage New Vulnerabilities: The continuous monitoring ensures that as new vulnerabilities are discovered, such as Log4J, the Azul Intelligence Cloud quickly identifies areas of code requiring remediation. As a separate cloud-hosted knowledge base, new vulnerabilities are immediately available for analysis.
- The Azul security team identifies Java-specific CVEs from the National Vulnerabilities Database (NVD). Rapidly updating the Azul Vulnerability Detection Knowledge Base. Organisations can also update any specific vulnerabilities that they become aware of as well.
- With real-time and historical analysis, the Azul Intelligence Cloud can inform users of where compromised code was used historically to determine whether a vulnerability was exploited.
Jevin Jensen, IDC Research Vice President Intelligent CloudOps, commented, “Enterprise IT teams need accurate, unified insights they can put into action to improve efficiency and control costs. A solution that can reduce false positives found in most vulnerability scanning enables DevOps, SRE and CloudOps teams to focus on the actual Common Vulnerability and Exposures (CVEs) that are executed by production applications. By avoiding code paths that are never executed, teams can move faster and reduce remediation costs.”
Improving efficiency
The second component of the Azul Intelligence Cloud is the Code Inventory. Code Inventory uses information inside the Java Virtual Machine (JVM) to provide a comprehensive view of what code runs in production with no performance penalty.
As organisations develop systems they rarely spend time to deprecate unused code, as they are often unable to check whether it is still in use. Deleting code without checking can be risky and cause business disruption. Code Inventory enables development teams to quickly identify whether code is dead or unused so that it can be removed. Reducing the overhead it creates and making maintenance easier.
The solution provides a comprehensive view across an enterprise’s Java workloads of what code runs over time down to the class/package and method level. It thus provides a more accurate signal to confidently remove unused and dead code and reduce the risk of breaking the application. The application also summarises and retains a history of when code was first and last run within the JVM.
Ed Tybursky, Managing Partner at Remend, an independent Oracle advisory firm, commented, “We clearly see the benefit that Azul Intelligence Cloud delivers to our customers by helping their DevOps teams save an immense amount of time and increasing their productivity. The ability to efficiently triage vulnerable code and identify unused code for removal from telemetry across an entire Java estate, regardless of JDK distribution or vendor, is a crucial capability that enables DevOps teams to effectively focus their time and attention.”
Already proving useful
The new solutions are already in use by customers. Azul has seen customers benefit from both solutions. Customers are able to cut down maintenance schedules by removing old code and have also reduced the risk of vulnerabilities.
James Yang, Vice President of Sales at Cloud Creek, an Azul channel partner, said, “Ever since the Log4J event, we have seen a dramatic rise in ‘false positives’ as a result of the various tools that organisations have employed to address Java application vulnerabilities.
“Currently, we are on the phone with customers 3 to 4 times a week to prove that these are false positives – often we have up to 15 people on the phone from both the client side and our team spending anywhere from 30 minutes to an hour to address this. How is this productive? It’s almost like crying wolf. Azul’s Intelligence Cloud solution takes all this pain away, completely removing the false positives and allowing our customers to quickly and effectively remediate the vulnerabilities that matter.”
Code Inventory is also proving its worth, especially after M&A activity. One Azul Intelligence Cloud user from a leading fintech trading firm noted, “We acquired another firm recently and aren’t familiar with their codebase. It contains millions of lines of code – reading and understanding that code would take months. With Code Inventory, we identified large portions of unused code, archived it and now spend our time working on the important parts. This has significantly sped up our development cycles.”
Enterprise Times: What does this mean
AI is infusing every technology. Vendors that have not found ways to take advantage of this technology will swiftly find themselves at a disadvantage to competitors. With these two solutions, Azul has found a way to increase productivity for organisations. Also to reduce the risk they face from both unused code and security vulnerabilities. This is automation in the best way possible.
Sensibly Azul has also ensured that organisations can supplement publicly available vulnerabilities with others they are also aware of. Within specific industries, this could be very useful as not all vulnerabilities are made public. Whether bespoke code has been used, a vulnerability may relate to just a single industry or firm.
Azul Code Inventory and Azul Vulnerability Detection are available now and included at no additional charge for Azul Intelligence Cloud customers. Pricing for Azul Intelligence Cloud is available here.
