What’s New: August 2024

Our latest release of Mayhem goes live this month to cloud hosted customers, and for self-hosted customers, your Mayhem customer solutions team will be in touch to schedule an upgrade (more on that later). 

For this release, we’ve improved import/export capabilities, refined our analysis of Windows targets, and launched the first iteration of automated defect tracking. You’ll also see a sneak peak of our (coming soon) new UI—we’re too excited to hide it from you! 

Here’s a little breakdown on each of the features. For more information, check the docs or get in touch with the team. 

‍

Easily Ingest Static SBOMs via the Mayhem UI

‍

As an application security platform, we have users from both security and engineering teams. One of the most asked questions from our security users was “I have an SBOM, how can I “dynamic-ize” it in Mayhem without going through my dev team?” 

Well, now you can! In the Mayhem web console, you can now upload SBOM and SCA reports from other tools and use them to generate Dynamic SBOMs based on Mayhem’s observations. Today, this supports flat file ingestion in standard formats (SPDX, CycloneDX, SARIF, etc). As additional native SCA integrations are developed, they’ll be added to this flow.

In just a few clicks you can filter down generated SBOMs to only the components and CVEs on your attack surface.

In our next release, we’ll be automating profile generation for any image Mayhem ‘sees’—whether it's part of a Dynamic SBOM scan, or added as a target for code analysis. For customers using Mayhem’s internal registry to store targets for analysis, this means you’ll automatically get a dynamic SBOM generated on all your images. 

‍

Improved Symbolic Execution

Mayhem’s patented symbolic execution allows us to identify untested code, and pinpoint new ways to break it, in ways that other types of testing can’t. It’s a key part of Mayhem’s set of testing engines, and helps our largest customers ensure code coverage at a massive scale.

For this release, we’ve released a number of improvements to Symbolic execution:

• Improved memory map handling - Mayhem’s SE engine now makes smarter decisions about retaining or dumping the memory map between calls, speeding performance between cycles.
• Faster symbolic execution startup time - the symbolic execution phase of analysis runs now starts significantly faster - in some cases in less than a quarter of the time it used to take. 
• Smarter syscall filtration. We’ve improved the part of symbolic execution that determines whether a syscall has ‘interesting’ (i.e., likely to be linked to an exploit) behavior. As a result, we’re able to eliminate a significant amount of unneeded syscall processing—speeding up the symbolic execution process.

Want a full download? Book some time with one of our engineers to discuss the technical details and get a full view into the latest set of improvements. 

‍

Easy Sharing of Compliance Artifacts With Test Exports

A number of Mayhem customers rely on its AI-driven test generation to fulfill requirements around non-deterministic testing, fuzz testing, or other testing needs. We’ve made it easier than ever to share Mayhem’s test suites—and aggregated test results—across your organization for use in audits or compliance attestations. 

‍

‍

Within any Mayhem run, users can now quickly download the full set of tests built and executed by Mayhem, along with the results from each individual test (Did it pass, fail, or regress?). This eliminates the need for using the Mayhem API to pull test cases, or for manual download of individual tests as examples. Mayhem users can now pull a complete set of Mayhem tests and provide as needed.

‍

Track Remediation Rate and MTTR More Easily With Automated Defect Lifecycles

Mayhem’s automated regression testing and runtime profiling ensures that you’re always finding new vulnerabilities and exposures. But understanding how you’re doing as far as remediation requires going back to past analysis results or historical profile data to see what’s still open or what’s been resolved. 

Now available in limited beta, Mayhem automatically tracks individual defects across branches, builds, and analysis runs. This is available for vulnerabilities found during code analysis. Support for vulnerabilities found in API analysis is on its way.

When Mayhem runs a regression test that previously found a vulnerability and is no longer able to reproduce the issue, Mayhem will mark that vulnerability as closed within the target. For targets with multiple branches, this is handled on a per-branch basis—so a vulnerability may be open in one branch, and resolved in another. 

When viewing aggregated information at the target or project level, Mayhem uses the default branch (as configured in your project settings) to determine a canonical ‘status’ for a defect. By clicking into an individual defect, you can see its status in individual branches.

‍

New Update Server for Self-hosted Customers 

For customers that run Mayhem within their own environment, we now allow you to upgrade from a central location - updates.mayhem.security. This contains the necessary artifacts for packaged installation to air gapped environments, as well as the helm charts and images for connected deployments. 

For customers currently updating Mayhem quarterly—don’t worry, nothing’s changing (unless you want it to). This allows our self-hosted customers to enjoy the same release cadence as our cloud customers if they so choose. In your regular update workflows, your Mayhem CS rep will work with you on changing over to the new update server as needed.

‍

Improvements & Fixes

In addition to the features above, the team fixed 108 bugs and completed 65 minor improvements or updates across Mayhem and its components. A few of the more notable updates are:

• When API analysis is started from an integrated CI tool, Mayhem now displays a link to the CI job in the analysis run details.
• Added better error handling in the CLI for when users try to start a code analysis run but are missing necessary packages or dependencies.
• Fixed an issue that caused target and project names to display underscore characters differently between the CLI and Web Console
• Runtime errors now inherit their severity from the linked CWE, so it’s no longer possible to have a CWE with severity Low linked to runtime errors with severity Critical (or vise versa)
• Fixed an issue where Mayhem incorrectly counted regression tests that were no longer linked to the optimized test suite. This would result in test passing rates over 100% on runs with large optimized test suites.

‍

What’s Next

Mayhem 2.10 will be released in Q4 2024, and will include the following, along with the usual assortment of fixes, improvements, and iterations:

• A complete overhaul of the Mayhem Web Console, with a streamlined UI, new project level dashboards, and improved performance
• For code analysis targets that require harnessing, Mayhem will generate language-specific templates that can be used as scaffolding for easier harness creation. This is the first of several steps as we work on automating harness generation.
• Teams using Vector tools in embedded or OT development will have improved integration points with Mayhem for doing software in the loop testing. (We have some additional slots in our design partner program for the next wave of integrations. If you’re doing OT development, get in touch!)
• Improved triage of API analysis results. This will allow customers to (optionally) group API findings based on the underlying problem. Today, Mayhem provides separate results (e.g., a SQL Injection vulnerability may have both a defect for the SQL Injection, and a defect for a 500 Error). 
• Automated profiling of all container images known to Mayhem. This means that for any container image in a Mayhem registry, or ingested by Mayhem as an analysis target, a Dynamic SBOM will be generated. Customers with integrated external SCA/SBOM tools will see results automatically filtered. For customers without integrated SCA/SBOM tools, Mayhem will generate both static and dynamic reports.

‍

We’re proud of the improvements we've made with this release and excited to continue to work to make Mayhem even better. Our commitment to delivering cutting-edge solutions remains strong, and we're eager to hear about how these updates make a difference in your day-to-day operations. 

Ready to explore these new features or have questions? Get in touch with our team—we’re here to help you make the most of Mayhem.

Thanks for your support!

‍

The Mayhem Team

‍