Introducing Mayhem’s Dynamic SBOM Generation and SCA Validation Feature

At Mayhem, we understand the security challenges that organizations face with traditional SBOM. Eliminating false positives and empowering development teams to focus on remediating the issues that matter is part of our mission at Mayhem. That’s why we’re excited to announce the release of our latest feature: Mayhem’s Dynamic SBOM Generation and SCA Validation.

The Problem With Traditional SBOMs

SBOM has become a buzzword in the AppSec world. 

As the idea of SBOM has become more prevalent, it's come up in several conversations, especially during our demos with prospects. However, there's often a misunderstanding about what SBOM entails, and about the problems it can—and can’t—solve.

Not to say that SBOMs don’t have their place in AppSec—since they provide a detailed list of software components, they are useful for compliance and managing the software supply chain.

However, at their core, SBOMs are lists of ingredients, not tools for actionable insight. 

False positives make up more than half of SCA results, and development teams spend more time investigating false positives than fixing actual vulnerabilities. 

Traditional SCA and SBOM don't solve this problem. Security teams don’t know what their real risk posture is, and developers don’t have enough time to fix the issues that truly matter.  

The Mayhem Solution

With this insight, we set out to create an SBOM solution that would change the way SBOMs were used. We envisioned a dynamic, real-time approach to SBOM generation, one that would not only list the components used but also provide actionable insights into which ones mattered.

Mayhem takes a unique approach to SCA by building a runtime profile of your application’s packages and dependencies. Unlike traditional SCA tools that provide static lists of detected components, Mayhem’s profile only includes components actively used when your application runs. 

By focusing on the components in actual use, Mayhem filters out upwards of 60% of the results delivered in a typical SCA or SBOM scan, removing false positives and delivering only real vulnerabilities for remediation. This allows teams to fix more issues, ship safer software, and release features faster.

How it Works

Mayhem's dynamic SBOM and SCA validation works by deploying its profiler alongside your application's container engine. As your application containers execute, Mayhem dynamically constructs a profile in real-time. 

This profile is accessible through various means such as API, CLI, and the Mayhem UI. It seamlessly integrates with your existing SCA and/or SBOM tools to generate a Dynamic SBOM and SCA report that only includes components and CVEs present at runtime. These results can be utilized across various platforms including Slack, Jira, SOC dashboards, ASPM tools, CI/CD pipelines, and more, providing comprehensive vulnerability information wherever needed.

Try It Now

With Mayhem’s Dynamic SBOM Generation and SCA Validation feature, you can fix more vulnerabilities, simplify compliance, and stop wasting time on the issues that don’t matter. 

Ready to take control of your software supply chain security? Try it today.

‍