ForAllSecure unveils AI-powered SBOM tool Mayhem to target real threats
ForAllSecure, the application security testing firm, has unveiled a dynamic software bill of materials (SBOM) tool known as Mayhem. The AI-powered product scrutinises an application's genuine conduct to detect and eliminate actual, exploitable vulnerabilities, the company states. By doing so, it increases developer velocity, minimises risk, and significantly reduces the incidence of false positives routinely produced by traditional SBOM tools.
A typical issue with conventional software composition analysis (SCA) and static SBOM tools is their propensity to generate voluminous lists of dependencies and potentially vulnerable components, most of which are false positives. More often than not, such tools misallocate significant resources towards investigating fake threats rather than addressing perceptible vulnerabilities. It is reported that more than half of the results from SCA and SBOM tools are false positives, consuming two-thirds of the development team's time on fruitless investigations. This, in turn, results in the diversion of vital resources from critical software security enhancement.
Juxtaposing the traditional model, Mayhem's real-time profiling prioritises views of components present only when the application is operational. Therefore, the tool streamlines the identification and remediation of real vulnerabilities. Josh Thorngren, VP of product at ForAllSecure, said: "Organisations are losing time and unable to optimise due to security teams not knowing their actual risk posture and developers without enough time to fix critical issues that matter."
To tackle these issues, ForAllSecure is enabling its clients to concentrate their efforts on real threats by furnishing instantaneous SBOM that offers comprehensive application security. Consequently, the overall attack surface is minimised, vulnerabilities are accurately detected, and consequently, software shipping is safer and feature release is faster.
The range of security offerings by Mayhem's Dynamic SBOM includes Attack Surface Mapping, Supply chain security, and SSDF Compliance. It paints an accurate picture of the CVEs reachable in an application, identifies dependencies posing the most risk and unused third-party components for removal, and simplifies compliance with runtime data for generating attestations and justifications among others.
In tests conducted with standard open source software, Mayhem's Dynamic SBOM reduced alert noise by a remarkable 60%, eliminating much of the false positives commonly found in traditional application security. During application runtime, it builds a profile of an organisation's application packages and dependencies in real-time. This tool allows security teams to focus on remediable vulnerabilities, in turn improving software quality and elevating it as a valuable resource for developers.
Mayhem's dynamic SBOM is the next stage in the evolution of the Mayhem platform. The platform utilises attacker techniques to locate vulnerabilities in applications and APIs, with its AI-driven behaviour testing adept at pinpointing exploitable weaknesses and bugs. The software has proven to be helpful in eliminating false positives, significantly reducing alert frequencies while simultaneously improving the efficiency of security applications and APIs.