ForAllSecure Announces First Dynamic Software Bill of Materials for Application Security

ForAllSecure Announces First Dynamic Software Bill of Materials for Application Security

PRESS RELEASE

PITTSBURGH,Oct. 4, 2023/PRNewswire/ —ForAllSecure, the world’s most advanced application security testing company, today announced the debut of its runtime dynamic Software Bill of Materials (SBOM) solution for its Mayhem Security product to show organizations which components are present at runtime and further prioritize each in order of risk and speed remediation for open source and other third-party software vulnerabilities in code, saving organizations valuable remediation time and resources.

Mayhem now generates a runtime-aware SBOM of components on the application attack surface, and uses this intelligence to prioritize and filter results from Software Composition Analysis (SCA), Static Application Security Testing (SAST), and similar tools. This eliminates AppSec noise and overhead for developers, allowing them to focus on remediating real security issues.

Managing software supply chain risks is crucial in today’s security threat landscape. Open source software (OSS) saves developers time by accessing, modifying, and distributing prewritten source code. However, attackers can also target open-source software for supply chain attacks. Threats like Solar Winds and Keysa use lower-level vulnerabilities to pivot into large organizations. Latent, unpatched vulnerabilities are common within popular OSS and can have significant consequences in today’s software-dependent world.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that all software provide an inventory of open-source components and other code dependencies. Jen Easterly, Director of CISA, has said, “Effective use of an SBOM can help an organization understand whether a given vulnerability affects software being used in their assets and provide greater confidence in a manufacturer’s software development practices.”

Traditional SBOM provides only passive lists of what is included. Mayhem ingests lengthy SBOM lists, quickly demonstrates to developers what components of the SBOM are and are not present at runtime, and prioritizes risk.

“This solves a big problem where there’s not a quick solution,” said Josh Thorngren, VP of product at ForAllSecure. “SBOMs provide a comprehensive inventory, but don’t contextualize risk.  With Mayhem, teams can now quickly understand what components are on the attack surface and prioritize remediation efforts to drive down maximum time to remediation.”

Mayhem’s dynamic SBOM is now in limited beta. To learn more, or gain access, visit mayhem.security/SBOM.

About ForAllSecure

ForAllSecure is a hacker organization focused on advancing cybersecurity through research, education, and product development. Founded in 2012 by CMU researchers, ForAllSecure has over a decade of experience building and participating in CTFs and partnering with K-12 and university departments to develop cybersecurity education programs. In 2016, the company won DARPA’s cyber grand challenge focused on autonomous security. Mayhem, ForAllSecure’s first commercial product, launched in 2019. Based in Pittsburgh, PA, the company is backed by NEA and KDT and has offices worldwide.