Oxeye prioritizes the vulnerable packages you need to remediate by providing runtime context and focusing on exploitable packages - those that are loaded and used at runtime, and those that are accessible from the Internet
Legacy Software Composition Analysis (SCA) tools identify vulnerabilities in open source packages using a two-step process:
1. Scan and identify open source packages in package managers, source code, binary files, container images, etc., which are placed into a Software Bill of Materials (SBOM)
2. Compare this SBOM against a number of databases that usually include the National Vulnerability Database (NVD) to identify vulnerable packages
The result? A huge list of all possible vulnerabilities, without any context.
Modern tools start off by doing the same thing as legacy Software Composition Analysis (SCA) tools do, then filter out the results based on numerous factors.
These steps filter 95% and up of open source and third party package vulnerabilities that can't be exploited, and prioritize the vulnerabilities, giving AppSec and development teams clear direction on which vulnerabilities to patch, and the order that they should patch them.
You get a much shorter list of vulnerabilities that can actually be exploited, instead of a long list of 'theoretical' vulnerabilities. Legacy tools have no way of analyzing these factors in microservices-based applications, hence the huge amount of noise. In practice, Oxeye removes over 95% of these non-exploitable vulnerabilities.
Not only does Oxeye reduce open source and third party package vulnerabilities, our Application Security Posture Management Platform (ASPM) also consolidates the functionality of SCA, SAST and DAST into a single tool to lower your application security testing tool costs, provide a unified view of results for both developers and AppSec teams, and lower AppSec-related operational costs.
Eliminate uncertainty from the application security process, and save your development and AppSec teams time.