How to automate your technical vulnerability management with Aikido and Vanta

Technical vulnerabilities are areas of weakness in your source code or infrastructure that attackers could potentially exploit. It’s important for your business to address its technical vulnerabilities to protect itself from these types of threats, in addition to gaining or maintaining compliance with SOC 2 and ISO 27001. 

‍

For many of these standards, you’re required to have vulnerability scanners running to ensure you’re continuously monitoring for new threats. This is often in addition to an annual penetration test that is required for standards like ISO 27001 and SOC 2.

‍

In this blog, we’ll show you how the integration between Aikido and Vanta can help you easily identify and manage your technical vulnerabilities to achieve and maintain compliance.

‍

What does Aikido do?

Aikido is a platform that offers advanced code scanning and cloud vulnerability assessments, with more than 1,000 installs and more than 100 paying customers. It was built to provide full coverage and make these technical scans easily readable by humans. Aikido is a 9-in-1 platform that runs nine different types of scans on your cloud, repositories, containers, and domains, prioritizing real threats, reducing false-positives, and providing easy-to-understand insights. 

‍

These scans include: 

• SAST (static code analysis)
• DAST (dynamic analysis)
• SCA (software composition analysis - aka open-source dependency vulnerability scanning)
• CSPM (cloud security posture management - aka cloud misconfig checks)
• Secret scanning (for leaked/exposed secrets)
• Container scanning (for vulnerabilities)
• Infrastructure as Code scanning (for vulnerabilities)
• Malware scanning for open-source (scanning for malicious code that could lead to supply chain attacks)
• Open-source license scanning (for risky or dual licenses)

‍

Using the powerful integration between Aikido and Vanta, you can run scans on your source code and systems to identify technical vulnerabilities. These then automatically get mapped to the applicable compliance frameworks you’ve selected in the Vanta platform and tasks are created and added to existing workflows so your team can address them.

‍

{{cta_withimage10="/cta-modules"}}

‍

5 steps to automate your technical vulnerabilities management 

Now we’ll walk through the process of implementing this integration and how it works to automate your technical vulnerability management:

‍

1. Integrate Aikido and Vanta 

The first step is to connect the Aikido platform to your Vanta instance. Start in the Vanta platform and find the integrations tab on the navigation panel. You can search for Aikido by name or by selecting the vulnerability scanners category. 

‍

From there, select connect and follow the prompts to connect the two platforms. If you need additional guidance, check out this help article.

‍

‍

2. Run vulnerability scans on Aikido 

Now run the scans in Aikido on your source code and infrastructure. Aikido offers nine different types of vulnerability scans. These include: Cloud posture management (CSPM), open source dependency scanning (SCA), secrets detection, static code analysis (SAST), infrastructure as code scanning (IaC), container scanning, surface monitoring (DAST), open source license scanning, and malware detection in dependencies.

‍

Once you’ve run the appropriate scans, Aikido will automatically generate a risk assessment. The platform will then automatically deduplicate any repeat tasks and auto-triage the vulnerabilities it detects so you only see those that impact your organization. It will also automatically prioritize the vulnerabilities by critical, high, or medium severity. 

‍

3. Map results automatically to Vanta

Once the results of the scan are done, they’ll automatically sync into Vanta. You’ll find the results of your Aikido scans via the Vulnerabilities tab of the Vanta platform. In this vulnerability table, you’ll see these issues listed with Aikido as the source. Vanta will also auto-populate the severity of the vulnerability from the information provided by Aikido.

‍

This integration will allow you to automate several tests and help you pass multiple controls for ISO 27001 and SOC 2. Here’s a look at which common criteria for SOC 2 and which Annex A controls for ISO 27001 these scans can help with:

‍

SOC 2: 

• Risk assessment (CC 3.3, CC 3.2)
• Control activities (CC 5.2)
• Logical and physical access controls (CC 6.1, CC 6.6, CC 6.7, CC 6.8)
• System operations (CC 7.1)
• Change management (CC 8.1)

‍

ISO 27001: 

• Technological controls (A.8.2, A.8.3, A.8.5, A.8.6, A.8.7, A.8.8, A.8.9, A.8.12, A.8.13, A.8.15, A.8.16, A.8.18, A.8.20, A.8.24, A.8.25, A.8.28, A.8.31, A.8.32)
• Organizational controls (A.5.15, A.5.16, A.5.28, A.5.33)

‍

4. Push tickets into existing workflows

Now that the vulnerabilities are logged in Vanta, new tasks and alerts will be created to notify your team of these issues and get them fixed. This process will look unique to your organization depending on the task tracking tools you’ve integrated and how you’ve set up your automated workflows. For example, if your developer team uses Atlassian to manage tickets and bugs, Vanta will automatically create a Jira ticket to update your source code based on the results of the scan. 

‍

These tickets will automatically have a deadline based on the SLAs that you’ve set for the various vulnerability buckets (critical, high, medium) within Vanta so the developers know the deadline to address this task by. Watch this demo to learn how to integrate a task tracker and edit your SLAs.

From there your developer team will have what they need to resolve the technical vulnerabilities these scans have identified in a timely manner.

‍

5. Monitor and scan your infrastructure daily

Aikido scans your environment every 24 hours for any vulnerabilities and maps the results back to the Vanta platform in real-time. Whenever a new pull request is merged into your codebase, a scan will be triggered for that branch or repository. You can also run a scan manually at any time. 

‍

This continuous scanning and monitoring helps you stay ahead of threats and fix technical vulnerabilities in a timely manner. This not only helps you get compliant, but also makes it easy to maintain compliance all year long, rather than just at the time of your audits.

‍

Get started with Aikido and Vanta

If you’re not already a Vanta customer, get started by requesting a demo. If you’re not already using Aikido, try it for free today.

‍

{{cta_withimage6="/cta-modules"}}

‍