Phylum has added Automated Vulnerability Reachability to its software supply chain security platform capabilities.
With the ability to focus only on fixing what matters, security pros can end the deluge of false positives and developers can innovate with greater speed and confidence.
This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the comprehensive software supply chain security.
Vulnerabilities represent a clear and present danger to the integrity of the software supply chain, but the massive amount of noise and false positives that come with traditional detection methods drain resources and leave organizations overwhelmed.
“Vulnerability management has been a frustrating and persistent challenge for security teams for well over a decade. Phylum has automated the answer to the question, ‘Do I actually call the code triggering this vulnerability?’ Addressing this question reduces customer false positive vulnerability issues by 90% or more and enables security teams to engage their development teams with supply chain issues that truly matter,” said Peter Morgan, co-founder and president of Phylum.
Most vulnerability management approaches do not account for the nuances of open-source libraries. In library code, the parts of the library used are just as important as the package name and version, and not accounting for this data results in a high false positive rate.
For example, an organization might use a package for signing build packages that contains a known Heartbleed vulnerability. But since the organization is only using it for code signing and not using the part of OpenSSL where that vulnerability exists, it isn’t reachable. The Phylum Platform recognizes this nuance and informs the user accordingly.
Organizations that use Phylum save precious developer time, make more critical fixes and improve overall security posture by leveraging:
- Deep source analysis and call tracing that identifies which vulnerabilities impact projects, and which ones don’t.
- Graph-powered analysis that identifies inter-package call paths to prioritize the most impactful bugs that need fixing.
- Automated, continuous policy enforcement that provides alerts if vulnerability functions change due to new development needs.
Since software projects are made up of anywhere from 70%-90% of open-source code, Phylum first blocks software supply chain attacks trying to enter environments from open-source packages. This alleviates the burden of having to do extensive remediation once source code is built.
Automated Vulnerability Reachability then continuously monitors the code in the event any development, package or author changes result in new vulnerabilities.
The Phylum Software Supply Chain Security Platform is purpose-built to address persistent and evolving software supply chain security challenges. Regardless of the maturity stage of an appsec program, Phylum is designed to address immediate needs and scale with an organization to meet future needs.