Up to 90% of the codebase of a typical application consists of third-party libraries. Most of these libraries are open source software. Known vulnerabilities in these libraries are very attractive targets for cyber adversaries and have become the largest cause of data breaches today.
At MergeBase we understand that false positives have a huge impact on productivity and morale. Not only is trying to fix a false positive a huge waste of time, it often takes a developer more time to proof that it is false than it would have taken to fix a true positive.
That is why we put consistent effort in reducing false positives and are proud to have the lowest false positive ratio in the industry.
MergeBase covers all major languages and environments from Javascript/NPM, .NET, C/C++ to Java and much more (link to detailed features). It integrates with all major build environments and repositories through dedicated plug-ins.
MergeBase keeps your development running at top speed through sophisticated developer guidance that enables your developers to find the best upgrade path in seconds and through suppression management that keeps pipelines running smoothly while maintaining full security governance.
In addition, MergeBase gives you full insight and control over licensing and technical debt, so you can manage your legal and technical risk as well.
MergeBase analyses the code developers want to add to your repositories for known-vulnerabilities and triggers warnings, rejections, and mandatory code reviews. You can configure it to extend full enterprise control over these potentially catastrophic risks to your organization.
Empower your developers and security analysts to effectively secure your enterprise applications.
MergeBase provides complete DevSecOps coverage and reliable container security.
MergeBase can instrument Java applications, giving you full visibility on what is deployed in the cloud or your data centers with an immediate risk assessment
When it is impossible to quickly upgrade a vulnerable library, open-source run-time protection can be a lifesaver. It also shrinks your attack surface by up to 90% and dramatically reduces remediation efforts.
MergeBase is a cloud-native solution. However it is architected such that clients can deploy not only in the cloud, but also on-prem or in a private cloud. Regardless of the size of your company, our enterprise licensing does not put constraints on how your deploy. You can deploy an unlimited number of instances if you choose to.
For instance, you can deploy one instance for a test environment and a different instance for production because there are separate controls around these environments and different people have access to those environments as well.
There are also other hybrid deployment options. For instance, you could deploy MergeBase in your cloud instances rather than in ours. You get the benefits of the cloud and can leverage your own corporate controls at the same time.
The best option, as in most scenarios, is prevention. You achieve prevention with MergeBase by integrating early on in your development process through your repositories. That way you can keep vulnerable components completely out of your codebase, so there is nothing to remediate. This is the best and the lowest cost option for companies; however, it might not always be practical or even possible. That is where the other options come in.
Onboarding is based on customer need:
