EVERGREEN, Colo., December 1, 2022 — Phylum, The Software program Provide Chain Safety Firm, right this moment introduced the addition of Automated Vulnerability Reachability to its software program provide chain safety platform capabilities. With the flexibility to focus solely on fixing what issues, security execs can finish the deluge of false positives and builders can innovate with larger pace and confidence. This new introduction, mixed with Phylum’s capacity to dam and prioritize open-source code dangers, supplies organizations with essentially the most complete software program provide chain safety obtainable out there.
Vulnerabilities characterize a transparent and current hazard to the integrity of the software program provide chain, however the large quantity of noise and false positives that include conventional detection strategies drain sources and go away organizations overwhelmed.
“Vulnerability administration has been a irritating and protracted problem for safety groups for nicely over a decade. Phylum has automated the reply to the query, ‘Do I really name the code triggering this vulnerability?’ Addressing this query reduces buyer false constructive vulnerability points by 90% or extra and permits safety groups to have interaction their growth groups with provide chain points that actually matter,” mentioned Peter Morgan, co-founder and president of Phylum.
Most vulnerability administration approaches don’t account for the nuances of open-source libraries. In library code, the elements of the library used are simply as vital because the package deal identify and model, and never accounting for this knowledge ends in an astronomically excessive false constructive charge. For instance, a corporation may use a package deal for signing construct packages that accommodates a recognized Heartbleed vulnerability. However for the reason that group is simply utilizing it for code signing and never utilizing the a part of OpenSSL the place that vulnerability exists, it is not reachable. The Phylum Platform acknowledges this nuance and informs the consumer accordingly.
Organizations that use Phylum save valuable developer time, make extra important fixes and enhance general safety posture by leveraging:
- Deep supply evaluation and name tracing that identifies which vulnerabilities impression initiatives, and which of them don’t.
- Graph-powered evaluation that identifies inter-package name paths to prioritize essentially the most impactful bugs that want fixing.
- Automated, steady coverage enforcement that gives alerts if vulnerability capabilities change resulting from new growth wants.
Since software program initiatives are made up of anyplace from 70%-90% of open-source code, Phylum first blocks software program provide chain assaults attempting to enter environments from open-source packages. This alleviates the burden of getting to do intensive remediation as soon as supply code is constructed. Automated Vulnerability Reachability then repeatedly screens the code within the occasion any growth, package deal or writer adjustments lead to new vulnerabilities.
The Phylum Software program Provide Chain Safety Platform is purpose-built to handle persistent and evolving software program provide chain safety challenges. Whatever the maturity stage of an appsec program, Phylum is designed to handle fast wants and scale with a corporation to fulfill future wants.
Automated Vulnerability Reachability will likely be obtainable in Q1 2023 through SaaS and On-Prem. Ebook a demo right here.
About Phylum
Phylum is on a mission to safe the universe of code. Its platform automates software program provide chain safety to dam new dangers, prioritize present points and permit customers to solely use open-source code that they belief. The corporate is constructed by a group of profession safety researchers and builders with many years of expertise in U.S. Intelligence Group and industrial sectors. Phylum is the winner of the Black Hat 2022 Innovation Highlight Competitors and was named a Prime Infosec Innovator by Cyber Protection Journal. Be taught extra at https://phylum.io, learn The Phylum Analysis Weblog, and comply with us on LinkedIn and Twitter.
