AI-Powered Intelligence Ensures Solely Reachable CVEs Present During Runtime Are Reported
PITTSBURGH, May 6, 2024 /PRNewswire/ -- ForAllSecure, the world's most advanced application security testing company, today announced the release of Mayhem's Dynamic Software Bill of Materials (SBOM), which looks at an application's actual behavior to find only real, exploitable vulnerabilities. Mayhem eliminates triage and investigations and reduces false positives by leveraging runtime intelligence to increase developer velocity and minimize application risks.
While conventional software composition analysis (SCA) and SBOM tools provide a static list of dependencies and vulnerable components, Mayhem's runtime profiling creates prioritized views of only the items present when the application runs, putting the spotlight on genuine vulnerabilities to focus and accelerate remediation. Over half of the results from SCA and SBOMs are false positives, with two-thirds of development teams spending more time investigating these than addressing actual vulnerabilities, an inefficiency diverting valuable resources from enhancing software security to chasing non-existent threats.
"Organizations are losing time and unable to optimize due to security teams not knowing their actual risk posture and developers without enough time to fix critical issues that matter," said Josh Thorngren, VP of product at ForAllSecure. "We're solving customer challenges by enabling them to focus on real threats, with Mayhem's dynamic SBOM providing a comprehensive application security platform, reducing the attack surface, and pinpointing vulnerabilities with no false positives so they can ship safer software and release features faster."
With Mayhem's Dynamic SBOM, ForAllSecure offers comprehensive application security, including:
- Attack Surface Mapping: Prioritize risk – Mayhem builds a runtime profile of the application as it runs, showing an accurate picture of the CVEs reachable in an application and filtering out the noise from static SCA reports.
- Supply chain security: Protect dependencies – Mayhem identifies dependencies that pose the most risk, highlights unused third-party components, and removes unused code and dependencies to minimize the attack surface.
- SSDF Compliance: Accelerate compliance – Mayhem simplifies compliance with runtime data for generating attestations and justifications, with VEX and SARIF exports and easy integration into audit tools. Deliver on EO 14028, SSDF, NIST, and more.
When tested against standard open-source software, Mayhem reduced alert noise by over 60%. Significantly reducing noise from false positives and traditional application security, Mayhem's Dynamic SBOM builds a profile during runtime of an organization's application's packages and dependencies. It operates in real-time alongside application containers, empowering security teams to concentrate on genuine threats for improved remediation times and software quality for developers, making it a valuable tool for both teams.
The release of Mayhem's Dynamic SBOM builds atop the award-winning Mayhem platform, which uses attacker techniques to find vulnerabilities in applications and APIs, including:
- Runtime profiling. Eliminate false positives from SCA and SBOM by showing only the vulnerabilities reachable when an application runs.
- AI-driven behavior testing. Pinpoint vulnerabilities and bugs that attackers can exploit to create and run thousands of behavioral tests against applications and APIs, combining over a dozen testing methods, including patented analysis techniques, classic fuzz testing, symbolic execution, and more, to select the best method for each test.
- Automated triage and regression. Exploitable vulnerabilities are triaged with stack traces, CWE/OWASP information, and reproduction commands delivered to developers in their existing toolchain. Automated regression testing keeps fixes fixed.
Additional Resources
- To learn more, visit https://www.mayhem.security/dynamic-sbom.
- Get a personalized demo.
- Visit us at RSA Booth 1067
About ForAllSecure
ForAllSecure is a hacker organization focused on advancing cybersecurity through research, education, and product development. Founded in 2012 by CMU researchers, ForAllSecure has over a decade of experience building and participating in CTFs and partnering with K-12 and university departments to develop cybersecurity education programs. In 2016, the company won DARPA's cyber grand challenge focused on autonomous security. Mayhem, ForAllSecure's first commercial product, launched in 2019. Based in Pittsburgh, PA, the company is backed by NEA and KDT and has offices worldwide.
Media Contact:
Michelle Yusupov
Hi-Touch PR
443-857-9468
[email protected]
SOURCE ForAllSecure, Inc.
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article