NetRise has announced a major update to its software supply chain security platform, introducing capabilities that prioritize remediation and mitigation of components actively executing at run-time. The update enhances platform scalability and adds features designed to improve efficiency across the software development lifecycle and security operations. By focusing on what actually runs on devices, NetRise aims to help enterprises more effectively manage real-world risk across complex global environments.
The update also helps to make users’ time more efficient and effective in prioritizing, mitigating, and remediating vulnerabilities found in the software they produce and reducing risk in the environments in which that software runs.
“Vulnerability management and threat intelligence teams often suffer from and are distracted by noise in the systems they use to protect their enterprise infrastructure,” said Thomas Pace, founder and CEO of NetRise. “The capabilities we’ve announced today allow them to focus on those vulnerabilities that are both accessible on the network and automatically execute at runtime. With this intelligence, the SOC team has at their fingertips a mechanism to update policies and mitigate those vulnerabilities before a threat actor can take advantage.”
Features introduced in the updated NetRise platform include reachability analysis, which provides context on whether a vulnerability is reachable and executable within a given system, including user execution context—enabling more effective prioritization by focusing on real threats. The SBOM Edit feature allows users to manually add, remove, or modify SBOM components, as well as include licensing information or metadata often lost during the build process, improving SBOM accuracy.
Also, the Fix Version feature identifies the minimum component version in which a vulnerability is resolved, helping prioritize issues that are easier to remediate. Additionally, a rearchitected platform foundation enhances scalability and accelerates future development cycles.
“When we analyze systems and artifacts, we typically find hundreds or even thousands of vulnerabilities, but the vast majority are in components that never actually execute. This creates a dangerous signal-to-noise problem – security teams waste precious time investigating CVEs in dormant libraries while missing the critical vulnerabilities in applications that run,” said Michael Scott, co-founder and CTO of NetRise. “By mapping the execution chain from autostart entries through scripts to the actual vulnerable components, we can reduce vulnerability noise drastically and help teams focus on what actually matters: the vulnerabilities that can actually be exploited when the asset powers on or loads. This is the difference between theoretical risk and real attack surface.”
In its Supply Chain Visibility & Risk Study, published in the fourth quarter of last year, NetRise reported that on networking devices whose compiled software NetRise analyzed, an average of 1,102 CVEs were found per device. The report showed how to prioritize those CVEs to focus on those that were network accessible, reducing the work required of a manufacturer’s development team or of an enterprise’s third-party risk management team.
“Today’s announcement, giving those teams visibility into components that autorun on startup, reduces that work even further,” said Pace. “This allows software developers to remediate the most critical vulnerabilities, reducing the time to deliver secure software. And for buyers of networking and other connected devices, third-party risk teams and their partners in procurement now have the tools to negotiate more effectively with their vendors to further reduce risk in the enterprise.”
