Introducing Mayhem’s Dynamic SBOM Generation and SCA Validation Feature

Mayhem Team
April 29, 2024
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

At Mayhem, we understand the security challenges that organizations face with traditional SBOM. Eliminating false positives and empowering development teams to focus on remediating the issues that matter is part of our mission at Mayhem. That’s why we’re excited to announce the release of our latest feature: Mayhem’s Dynamic SBOM Generation and SCA Validation.

The Problem With Traditional SBOMs

SBOM has become a buzzword in the AppSec world. 

As the idea of SBOM has become more prevalent, it's come up in several conversations, especially during our demos with prospects. However, there's often a misunderstanding about what SBOM entails, and about the problems it can—and can’t—solve.

Not to say that SBOMs don’t have their place in AppSec—since they provide a detailed list of software components, they are useful for compliance and managing the software supply chain.

However, at their core, SBOMs are lists of ingredients, not tools for actionable insight. 

False positives make up more than half of SCA results, and development teams spend more time investigating false positives than fixing actual vulnerabilities. 

Traditional SCA and SBOM don't solve this problem. Security teams don’t know what their real risk posture is, and developers don’t have enough time to fix the issues that truly matter.  

The Mayhem Solution

With this insight, we set out to create an SBOM solution that would change the way SBOMs were used. We envisioned a dynamic, real-time approach to SBOM generation, one that would not only list the components used but also provide actionable insights into which ones mattered.

Mayhem takes a unique approach to SCA by building a runtime profile of your application’s packages and dependencies. Unlike traditional SCA tools that provide static lists of detected components, Mayhem’s profile only includes components actively used when your application runs. 

By focusing on the components in actual use, Mayhem filters out upwards of 60% of the results delivered in a typical SCA or SBOM scan, removing false positives and delivering only real vulnerabilities for remediation. This allows teams to fix more issues, ship safer software, and release features faster.

How it Works

Mayhem's dynamic SBOM and SCA validation works by deploying its profiler alongside your application's container engine. As your application containers execute, Mayhem dynamically constructs a profile in real-time. 

This profile is accessible through various means such as API, CLI, and the Mayhem UI. It seamlessly integrates with your existing SCA and/or SBOM tools to generate a Dynamic SBOM and SCA report that only includes components and CVEs present at runtime. These results can be utilized across various platforms including Slack, Jira, SOC dashboards, ASPM tools, CI/CD pipelines, and more, providing comprehensive vulnerability information wherever needed.

Try It Now

With Mayhem’s Dynamic SBOM Generation and SCA Validation feature, you can fix more vulnerabilities, simplify compliance, and stop wasting time on the issues that don’t matter. 

Ready to take control of your software supply chain security? Try it today.

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem