ForAllSecure, the leading application security testing company, has unveiled its latest offering, a runtime dynamic Software Bill of Materials (SBOM) solution for its Mayhem Security product. The purpose of this solution is to provide organizations with a comprehensive understanding of the components present at runtime, enabling them to prioritize each component according to risk levels and streamline the remediation process for any open source or third-party software vulnerabilities present in the code.
With Mayhem’s runtime-aware SBOM, organizations are now able to generate a detailed inventory of the components within their application attack surface. This valuable intelligence is then utilized to filter and prioritize the results from other tools, such as Software Composition Analysis (SCA) and Static Application Security Testing (SAST), eliminating irrelevant noise for developers and enabling them to focus solely on addressing real security issues.
In the current threat landscape, managing software supply chain risks is of utmost importance. Open-source software (OSS) has become increasingly popular due to the time-saving benefits it offers developers through accessing and modifying prewritten source code. However, this convenience comes with its own set of risks, as attackers can exploit vulnerabilities within open-source software to carry out supply chain attacks. High-profile incidents such as the Solar Winds and Keysa attacks have demonstrated the potential for lower-level vulnerabilities to be leveraged as entry points into larger organizations. In today’s software-dependent world, latent and unpatched vulnerabilities in popular OSS can have far-reaching consequences.
Recognizing the significance of this issue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that all software include an inventory of open-source components and code dependencies. CISA Director, Jen Easterly, stressed the importance of this inventory, stating, “Effective use of an SBOM can help an organization understand whether a given vulnerability affects software being used in their assets and provide greater confidence in a manufacturer’s software development practices.”
Unlike traditional SBOMs that merely provide passive lists of the components included, Mayhem takes a more proactive approach. By quickly analyzing extensive SBOM lists, Mayhem is able to identify which components are actually present at runtime and assess the associated level of risk. This contextualization of risk allows development teams to gain a comprehensive understanding of the attack surface, enabling them to prioritize remediation efforts and significantly reduce the time taken to address vulnerabilities.
Josh Thorngren, the Vice President of Product at ForAllSecure, emphasized the significance of this new solution, stating, “This solves a big problem where there’s not a quick solution. SBOMs provide a comprehensive inventory but don’t contextualize risk. With Mayhem, teams can now quickly understand what components are on the attack surface and prioritize remediation efforts to drive down maximum time to remediation.”
Mayhem’s dynamic SBOM is currently in the limited beta phase. Organizations interested in utilizing this solution can visit the Mayhem website at mayhem.security/SBOM to learn more and gain access.
About ForAllSecure:
ForAllSecure is a renowned hacker organization dedicated to advancing cybersecurity through research, education, and product development. Founded in 2012 by researchers from Carnegie Mellon University, ForAllSecure boasts over a decade of experience in building and participating in Capture the Flag (CTF) events and collaborating with K-12 and university programs to develop cybersecurity education initiatives. In 2016, the company achieved recognition by winning DARPA’s cyber grand challenge focused on autonomous security. ForAllSecure’s first commercial product, Mayhem, was launched in 2019. Headquartered in Pittsburgh, PA, the company is supported by NEA and KDT and operates offices worldwide.