Overwhelmed by the sheer number of results legacy Software Composition Analysis (SCA) tools generate? Oxeye helps you focus on exploitable open source and third party package vulnerabilities, so that you can prioritize your remediation efforts.
We do this by identifying and showing you which packages are loaded and used, and which ones are accessible from the Internet.
Legacy SCA tools identify vulnerabilities in open source packages using a two-step process:
1. Scan and identify open source packages in package managers, source code, binary files, container images, etc., which are placed into a Software Bill of Materials (SBOM)
2. Compare this SBOM against a number of databases that usually include the National Vulnerability Database (NVD) to identify vulnerable packages
The result? A huge list of all possible vulnerabilities, without any context. These tools don't distinguish among the following three buckets:
By focusing only on Bucket 3 - vulnerable packages that are installed, loaded into memory, and actually used by the application, adopters of Oxeye see a reduction of between 80-95% in the list of vulnerable packages that they have to remediate.
Eliminate uncertainty from the application security process, and save your development and AppSec teams time.