Many customers doubt that we will not be able to be more accurate than other companies in the market. Even so, we invite them to scan their systems with MergeBase and the other companies and compare the results. Sometimes we see that other companies sometimes find more vulnerabilities than MergeBase. When we do a more accurate analysis of these vulnerabilities it is because they’re reporting false positives. MergeBase provides real-time visibility into the risk of your enterprise applications from vulnerable open source components at every stage of the development process, so you don’t waste time on false positives.
Making Upgrades Doable
It’s possible to use MergeBase in situations where it isn’t possible to upgrade just one library without a significant amount of effort. We also offer runtime mitigations so that you can surgically address the vulnerability in some cases, directly inside the library.
Addressing security issues in production
In the SCA space and in application security, there’s kind of an interesting paradox that happens; where there’s this whole movement and momentum towards shifting left, which is towards fixing the problems as early as possible in the development lifecycle. And yet, what we’re trying to protect is production. Production is where the data is and where the software is running.
MergeBase can address either side. It helps us to address the problems as early in the development lifecycle as possible because that’s where it’s cheapest to fix them and where they need to be fixed anyway. And analyze production systems accurately, showing the actual vulnerabilities in the running system, if it was configured differently, perhaps some additional plugins or libraries were installed later during the process, and more.
For applications for running diploid production applications, you want to make sure the known vulnerabilities aren’t there in the running production system. And in order to analyze them accurately, you need to look at their binaries. It’s the binary that’s actually executing. Therefore, it’s the binary, that’s going to have the known vulnerability in it if it does, indeed have one. MergeBases ability to scan binaries directly is a critical.