Introducing MergeBase


In this video, the CEO, Oscar van der Meer, introduces MergeBase and what makes it a next-gen open source security company that empowers your security and development teams to effectively find and reduce open source risk more rapidly than ever before.

Why MergeBase?


Securing the Software Supply Chain

Our mission at MergeBase is to secure the software supply chain. There’s a growing risk and ubiquitous use of open source software in development, making what we do in software composition analysis essential to secure your company from it.

Consequently, security and risk management leaders should embrace this area since more than 40% of data breaches are caused by exploitation of the application. MergeBase helps identify the vulnerabilities and provides various options to remediate or fix those threats. Unlike other SCA providers we offer multiple options so that you can choose the approach that fits best with your situation and DevOps process.

Fixing Software Supply Chain Security Issues

Most organizations buy IT capabilities off the shelf because they’re less expensive, easier to maintain, and more cost-effective than building them themselves. The enterprise software market is worth 500 billion a year. You might have assumed these applications are kept safe by their vendors. However, the reality is that they contain the same open source vulnerabilities. What we’ve seen with our customers is that purchased applications are often less secure than those the organization is building in-house.

This can happen because there’s a broken chain of responsibility. The software vendor thinks they’re not responsible for security because they deliver just a piece of software with some functionality to a customer. And as the customer is buying things like firewalls, the customer is responsible for security.

However, that doesn’t work for vulnerabilities in the application layer as in most cases customer deployed solutions like firewalls or intrusion detection will not be able to defend against application layer attacks. They are not equipped to understand traffic to the application, so an attack is indistinguishable from ordinary traffic to the application and is good to go.

That’s why it’s essential to collaborate with your software vendors to ensure they produce secure code with no vulnerabilities. And how do you do that? By using MergeBase! MergeBase has the capability of analyzing applications that you purchased at a job for your data application. Analyzing those applications allows you to keep your vendors accountable if they have many vulnerabilities. And that’s how you minimize supply chain risk.

Software Bill of Material and Software Supply Chain Security

Over the past year, SBOM has received much attention, partly due to its connection to the software supply chain that is increasingly under attack.It is very common in a mature industry, such as manufacturing, to deliver a product accompanied by a bill of materials that details precisely what is inside. There have also been issues in that area; for example, you buy printers from a particular country, and there are chips in them that may capture things that have been printed, and expose them.

The same thing applies to software. For instance, if you buy an application, it’s complicated to do a full risk assessment on it if you don’t understand or don’t know what components it’s made up of. And how do you know if there aren’t any recalls on certain underlying parts in that application that might cause your company to crash?

That’s where the software bill of material comes in. Essentially, it tells the organization what is inside the application enabling them to assess the risk more thoroughly and protect themselves better.

MergeBase helps organizations create software bill materials. By analyzing an application, we can create a software bill of material for that application, which can be used in other tools. Or, if you deliver an application, you can include the accompanying software bill of material so that the customer can do their due diligence in terms of risk assessment on an ongoing basis.

MergeBase can also generate SBOM’s for applications that you do not have the source code but just the binaries (executable files, as well as Java or .NET applications).



MergeBase Features

Software as a Service, On-Premises, or Hybrid Deployment

MergeBase is a cloud-native solution. It’s architected in flexible ways that enable clients to deploy in multiple ways, such as software as a service, hybrid, or completely on-prem. Regardless of the size of your company, our enterprise licensing enables you to do it most optimally way.

For instance, you can deploy one instance for a test environment and a different instance for production because there are separate controls around these environments and different people have access to those environments as well.

There are also other hybrid deployment options. For instance, you could deploy MergeBase in your cloud instances rather than in ours. You get the benefits of the cloud and can leverage your own corporate controls at the same time.


One of the unique elements of MergeBase is that it provides complete coverage across your DevOps process and, we reinforce that with our toolset. We provide DevOps coverage from coding to building in a pipeline to deploying with containers and runtime. Regardless of what part of your DevOps process you wish to focus on, MergeBase can assist you with security support.


Remediation Guidance

Unlike many security tools, Mergebase doesn’t just give you a list of problems; instead, we actually help you fix them and make better design choices so that you can actually increase the pace of your development. MergeBase offers several remediation options:

  • Prevention through smart repository controls
  • Advanced Developer Guidance
  • Integration with your process (for example, JIRA or Microsoft Boards)
  • Run-time code coverage insights, allowing you to ignore inert vulnerabilities with confidence
  • Run-time Protection to give you ultimate control and peace of mind

The best option as in most scenarios is prevention. You achieve prevention with MergeBase by integrating early on in your development process through your repositories. That way you can keep vulnerable components completely out of your codebase, so there is nothing to remediate. This is the best and the lowest cost option for companies, however, it might not always be practical or even possible. That is where the other options come in.

Onboarding Customers

Onboarding is based on customer need: How many people will be using MergeBase? How will they use the MergeBase platform? How complex is the code and build environment?

MergeBase offers:

  • An hour-long workshop with the organization and the developers.
  • Follow-up support
  • Full runtime support

A Game Changer for Business

Enabling Software Companies

Software technology companies are quite mature from a security perspective. They understand the need for security in general, the need for open source security and their customers’ need to secure their software supply chain.

When these companies start engaging with larger clients, especially when it is regulated industries like finance, or healthcare, the security bar gets raised. MergeBase helps Software technology companies stay on top of their risks in applications.

They use the MergeBase platform to manage their client’s supply chain risk and are able to put advanced policies eliminating known vulnerabilities while keeping up the pace of development MergeBase achieves that through advanced developer guidance, suppression management and (DevOps) workflow integration.

Enabling Enterprises

There are two categories of enterprise: the organizations that are highly regulated and very sophisticated, from a security perspective, for example, the financial industry, banking and insurance. And the organizations that are not that mature from a risk management and security perspective and are perhaps not regulated.


Financial industry, banking and insurance companies

These companies have had application security tools in place for some time already. They often replace an existing tool or add additional capabilities to their toolset with the runtime capabilities. For example, a typical bank in North America has 600 applications, but the larger banks have more than 1500.

What happens is that these companies don’t have developers working on all these applications; they might have been active development going on 10% or 20% of that application set. The problem is that the number of known vulnerabilities increases as applications get older. As applications get less maintenance the need for security maintenance increases which obviously creates a high need for a very scarce resource: Developers.

And how do you deal with that? That’s where our runtime protection comes in. MergeBase gives you the additional capabilities without having to use a large number of developers to remediate these vulnerabilities right away, either by monitoring, for suspicious access, or by completely blocking the root cause of these exploits. MergeBase resolves the developer resource crunch by giving additional run-time, and remediation capabilities. Not only do they save resources, but they are also much quicker to apply.

Small Business

Medium and Small Companies

These companies are starting to become aware of supply chain risks. MergeBase offers them different options available in our toolset regarding how to analyze applications, where to analyze them, and how to remediate them. We can find the best mix for every organization in a way that doesn’t overwhelm their developer group and maintains its productivity.

Contribuition to Research Initiatives

We often hear from prospects, especially in larger and well-established organizations, that they don’t have open source. That is why we participated in research with industry partners and the US government about what is open source usage. We developed an open-source tool that organizations can use to analyze the applications and figure out what percentage of the application is open source. And the research concludes that, on average, 80% of even these large enterprises have their code based on open source. That was a huge eye opener for most of those organizations because they assumed it was much lower, and the risk they are running from a supply chain perspective is correlated with the amount of open source. And so, if you assume that you don’t have open source, you suppose we don’t have to manage that risk.


Ready to mitigate risks from your company?