Built from scratch for cloud-native applications

Stop Wasting Time On Unexploitable Vulnerabilities

Focus on the 3-5% Of Application Vulnerabilities That Actually Matter

Eradicate the Issues of Legacy AppSec Tools

With a simple 2-minute deployment, Oxeye drastically reduces AppSec-related tool and operations costs by focusing on exploitable custom code, open source and third party vulnerabilities - those that can be accessed from the Internet and that are actually loaded and used at runtime

The Oxeye Application Security Platform:
• Simple 2-minute deployment
• Automated prioritization of vulnerabilities
• See whether vulnerabilities are Internet-accessible
• Examine loaded status of packages
• Developer-friendly remediation information
• SAST, DAST and SCA in one tool

With a 2-minute deployment, Oxeye drastically reduces application security noise by focusing on exploitable vulnerabilities. The results? Less time wasted triaging and remediating irrelevant findings, and more time to focus on building product

Book A Demo Get Solution Brief

OXEYE FILTERS VULNERABILITIES IN FOUR STEPS

IMPROVE YOUR APPSEC IN FOUR STEPS

Oxeye combines the functions of SAST, DAST and SCA into one tool to filter out vulnerabilities that can't be exploited in modern distributed applications. We identify all vulnerabilities, including those that cross microservices, then help AppSec & dev teams focus on critical vulnerabilities by applying the following steps

Oxeye combines static and runtime analysis and the functions of SAST, DAST and SCA into a single tool to provide vulnerability results that really matter. We find all custom code, open source and third party package vulnerabilities, then perform the following to remove vulnerabilities that can’t be exploited so you can remediate more efficiently.

Find and determine which vulnerable open source and third party packages are loaded and used, and filter out the ones that aren't.

Filter vulnerabilities that cannot be accessed from the Internet, whether directly or indirectly.

Refine further by adding infrastructure configuration data.

Perform active validation by fuzzing the exploitable APIs.

See how Oxeye works

All That You Expect from a Modern Appsec Solution

Visibility, Visibility, Visibility

Visualize your runtime and get a dynamic SBOM. Detect hard-coded secrets. See the path that vulnerabilities take, from externally-facing API to the specific line of code. Easily see whether your applications are meeting compliance requirements

Reduce Time Spent Triaging and Remediating

Only focus remediation efforts on exploitable vulnerabilities in custom code, open source and third party packages. Get remediation guidance, including line of code, stacktrace, and information about the vulnerabilities

One Tool. One Set of Results. One Predictable Price.

Get a single reference point for both application security and dev teams, and eliminate issues of complexity and cost from piecing together multiple, disjointed tools. No more trying to guess whether SAST, SCA or DAST results are accurate. No more unexpected spikes in cost

"Oxeye’s ability to provide a comprehensive and contextual analysis of application layer risks, combined with its straightforward deployment process, makes it an appealing solution for modern cloud-native teams like ours."

Lee Vincent Turner Photo

Lee Vincent Turner

Senior Technical Manager

"Legacy SAST, DAST, and IAST solutions are not effective in detecting vulnerabilities in modern cloud native applications. The unique challenges presented by the dynamic and distributed nature of these environments require new security tools and approaches. To effectively protect against the evolving threat landscape, organizations must adopt modern security solutions specifically designed for cloud native applications."

Ory Segal

CTO Prisma Cloud at Palo Alto Networks

"One of the unique features of Oxeye, in comparison to other SAST tools, is its ability to provide a curated view of code issues based on the actual code paths executed by our application at runtime. This approach allows for a more targeted and efficient resolution of issues, resulting in better code hygiene."

Image of Omer Azaria

Omer Azaria

VP of Research and Development at Sysdig

"Chasing down all vulnerabilities is unscalable. High risk-reduction ROI comes from context-based prioritization & remediation of security vulnerabilities."

Image of Srinath Kuruvadi

Srinath Kuruvadi

Head of Product Security - AWS Cloud, JP Morgan Chase

See the AppSec Issues that Really Matter

Focus On Exploitable Vulnerabilities

Oxeye shows you the custom code, open source and third party package vulnerabilities that you should prioritize

Detect Vulnerabilities Other Tools Miss

Oxeye’s vulnerable flow analysis reveals critical vulnerabilities that legacy SAST, DAST and SCA simply miss because they travel across microservices

Get The License to Chill

We detect non-compliant licenses used in your open source packages, and categorize them according to risk levels to help you avoid legal issues

Secrets Detection

Oxeye discovers hardcoded secrets such as passwords, API keys, and encryption keys in your applications so you don't inadvertently give away the keys to the kingdom

Fix Vulnerabilities Quickly With Information Your Dev Team Needs

Source

channel.basicConsume(QUEUE_NAME, true, deliverCallback, consumerTag -> {;
});
System.out.println("[*] Waiting for messages. To exit press CTRL+C");

Propagation

DeliverCallback deliverCallback = (consumerTag, delivery) -> {;
String jsonString = new String(delivery.getBody(), StandardCharsets.UTF_8);
try {
JSONObject obj = new JSONObject(jsonString);
PutMessage(conn, obj.getString("title"), obj.getString("description"), obj.getInt("price"));
} catch (JSONException | SQLException e) {
System.err.println("[!] Caught an exception handling message - \"" + jsonString + "\"");
e.printStackTrace();
}
};

Sink

private static void PutMessage(java.sql.Connection conn, String title, String description, int price) throws SQLException {
Statement st = conn.createStatement();
st.executeUpdate("INSERT INTO public.items (\"title\", \"description\", \"price\") values ('" + title + "', '" + description + "', '" + price + "');");
System.out.println("[*] Item added: title: \"" + title + \"", Description: \"" + description + "\", Price: " + price);
}

java.base/java.lang.Thread.run(Thread.java:829)
com.rabbitmq.client.impl.ConsumerWorkService$WorkPoolRunnable.run(ConsumerWorkService.java:104)
com.rabbitmq.client.impl.ConsumerDispatcher$5.run(ConsumerDispatcher.java:149)
com.rabbitmq.client.impl.recovery.AutorecoveringChannel$2.handleDelivery(AutorecoveringChannel.java:588)
com.dvcna.queue_dispatcher.RequestHandler.lambda$main$0(RequestHandler.java:47)
com.dvcna.queue_dispatcher.RequestHandler.PutMessage(RequestHandler.java:24)
org.postgresql.jdbc.PgStatement.executeUpdate(PgStatement.java:258)
io.opentelemetry.javaagent.shaded.instrumentation.api.instrumenter.Instrumenter.start(Instrumenter.java:195)
io.opentelemetry.javaagent.shaded.io.opentelemetry.context.Context.with(Context.java:169)
com.example.javaagent.instrumentation.InstrumentationUtil.generateCallStack(InstrumentationUtil.java:16)

Image - Vulnerability Flow

Code Snippet

See the view of source to sync from the user input to the dangerous function, and the specific line of code where the vulnerability resides.

Source

channel.basicConsume(QUEUE_NAME, true, deliverCallback, consumerTag -> {;
});
System.out.println("[*] Waiting for messages. To exit press CTRL+C");

Propagation

DeliverCallback deliverCallback = (consumerTag, delivery) -> {;
String jsonString = new String(delivery.getBody(), StandardCharsets.UTF_8);
try {
JSONObject obj = new JSONObject(jsonString);
PutMessage(conn, obj.getString("title"), obj.getString("description"), obj.getInt("price"));
} catch (JSONException | SQLException e) {
System.err.println("[!] Caught an exception handling message - \"" + jsonString + "\"");
e.printStackTrace();
}
};

Sink

private static void PutMessage(java.sql.Connection conn, String title, String description, int price) throws SQLException {
Statement st = conn.createStatement();
st.executeUpdate("INSERT INTO public.items (\"title\", \"description\", \"price\") values ('" + title + "', '" + description + "', '" + price + "');");
System.out.println("[*] Item added: title: \"" + title + \"", Description: \"" + description + "\", Price: " + price);
}

Stacktrace

See all the functions that were called during the execution of the vulnerability for additional context and clarity during the remediation process.

java.base/java.lang.Thread.run(Thread.java:829)
com.rabbitmq.client.impl.ConsumerWorkService$WorkPoolRunnable.run(ConsumerWorkService.java:104)
com.rabbitmq.client.impl.ConsumerDispatcher$5.run(ConsumerDispatcher.java:149)
com.rabbitmq.client.impl.recovery.AutorecoveringChannel$2.handleDelivery(AutorecoveringChannel.java:588)
com.dvcna.queue_dispatcher.RequestHandler.lambda$main$0(RequestHandler.java:47)
com.dvcna.queue_dispatcher.RequestHandler.PutMessage(RequestHandler.java:24)
org.postgresql.jdbc.PgStatement.executeUpdate(PgStatement.java:258)
io.opentelemetry.javaagent.shaded.instrumentation.api.instrumenter.Instrumenter.start(Instrumenter.java:195)
io.opentelemetry.javaagent.shaded.io.opentelemetry.context.Context.with(Context.java:169)
com.example.javaagent.instrumentation.InstrumentationUtil.generateCallStack(InstrumentationUtil.java:16)

Vulnerability Flow

Trace the path of vulnerabilities, from the externally-facing API, to the internal service that's vulnerable, even if the service is not directly accessible from the Internet.

Image - Vulnerability Flow

Realize The True Promise of Shifting Left

Eliminate uncertainty from the application security process, and save your development and AppSec teams time.

2023 All rights reserved

Privacy Policy Terms of Service