Shift-left and DevSecOps practices have many advantages, but they also present challenges for development teams. Shift left has placed the responsibility of triaging and remediating security issues onto developers, who struggle with a false positive rate of over 50% and spend over a third of their time on testing and triage.

Today we’re excited to announce the newest set of features in Mayhem: dynamic Software Bill of Materials (SBOM) generation and Software Composition Analysis (SCA) validation. Now in limited release, these features eliminate false positives from SBOMs and SCA reports, freeing developers from time wasted during test, triage and remediation.

‍

The Noise of SCA and SBOMs

With the rise of federal guidance on the use of SBOMs in development processes, the challenge of AppSec noise has only been exacerbated. SBOMs, like SCA tests, aren’t runtime-aware. They generate a list of components, with no application-specific context or attack surface knowledge.

From a compliance and inventory perspective, this visibility can be very useful. But to a developer, SBOM reports are just another list that requires filtration, triage and prioritization, adding more work to their burden.

‍

Cut Through the Noise With Mayhem

Unlike traditional approaches to generating SBOMs or identifying vulnerable open source packages, which exhaustively catalog every component or library—regardless of their actual use—Mayhem dynamically builds an SBOM based on an application’s behavior at runtime, showing only the parts of an application on the attack surface.

With this, Mayhem can now ingest SCA results or full SBOMs and deliver to developers validated lists of vulnerable components, eliminating time wasted on false positives or justifying CVEs in unused packages.

‍

Mayhem’s Unique Approach

This builds on Mayhem’s award-winning approach of dynamically testing applications and APIs and delivering only real, actionable, security results to developers.  Mayhem’s combination of generative AI, symbolic execution, and fuzz testing techniques are used by security teams worldwide to pinpoint and prioritize exploitable vulnerabilities.  

This focus on finding and fixing what’s exploitable informs Mayhem’s dynamic SBOM and SCA validation, keeping application security and development teams focused on actionable, measurable remediations and continuous improvement in their application security posture.

‍

Get Started

Learn more about Mayhem’s dynamic SBOM and SCA validation here.