Built for Cloud-Native Applications

Our Software Composition Analysis Tool Reduces Non-Critical Open Source Vulnerabilities by 80-95%

We Help You Find the Open Source Vulnerabilities You Really Need To Fix

Oxeye prioritizes the packages you need to remediate by focusing on exploitable packages - those that are loaded and used at runtime, and those that are accessible from the Internet

How Oxeye Does It

Oxeye detects vulnerable open source and third party packages, and filters out those that aren't exploitable, so you can prioritize remediation efforts more efficiently.

HOW IT USED TO BE DONE

Legacy Software Composition Analysis (SCA) tools identify vulnerabilities in open source packages using a two-step process:

1. Scan and identify open source packages in package managers, source code, binary files, container images, etc., which are placed into a Software Bill of Materials (SBOM)
2. Compare this SBOM against a number of databases that usually include the National Vulnerability Database (NVD) to identify vulnerable packages

The result? A huge list of all possible vulnerabilities, without any context.

HOW OXEYE DOES IT

Oxeye determines exploitability based on two primary factors:

  1. We distinguish between packages that are installed, loaded into memory, and used at runtime (Bucket 3 below), and those that are merely installed (Bucket 1) or installed, but never used (Bucket 2). We filter out the latter, so you're focusing only on the packages that are potentially vulnerable at runtime
  2. We trace whether a package is exposed to the Internet or not, whether directly or indirectly. Those that cannot be accessed from the Internet are filtered out, leaving only those that are both used at runtime, and have a vulnerable path from an externally-facing API to the package

HOW OXEYE DOES IT

Oxeye determines exploitability based on two primary factors:

  1. We distinguish between packages that are installed, loaded into memory, and used at runtime (Bucket 3 above), and those that are merely installed (Bucket 2) or never used (Bucket 2). We filter out the latter, so you're focusing only on the packages that are potentially vulnerable at runtime
  2. We trace whether a package is exposed to the Internet or not, whether directly or indirectly. Those that cannot be accessed from the Internet are filtered out, leaving only those that are both used at runtime, and have a vulnerable path from an externally-facing API to the package

The result? A much shorter list of vulnerabilities that can actually be exploited, instead of a long list of all possible vulnerabilities from legacy SCA tools. These legacy tools have no way of analyzing these factors in microservices-based applications, hence the huge amount of noise.

Not only does Oxeye reduce open source and third party package vulnerabilities, our AppSec Platform also consolidates the functionality of SCA, SAST and DAST into a single tool to  lower your application security testing tool costs, provide a unified view of results for both developers and AppSec teams, and lower AppSec-related operational costs.

Cloud Native SCA Tool comparison chart

Want to Learn More? Send Us a Message

Realize The True Promise of Shifting Left

Eliminate uncertainty from the application security process, and save your development and AppSec teams time.