How Lexumo leads a new era in securing open source
Architected for security
Previous approaches were architected for license compliance — not security.
License compliance requires only coarse detection of packages and licenses. It can be accomplished by simply searching the source code for package IDs or source code fingerprints.
Previous tools weren't designed to tell you if your code is vulnerable. Lexumo was built from the ground-up to address this challenge.
The big challenge is figuring out whether a new vulnerability affects your code — regardless of package ID or version.
Lexumo's architecture addresses this challenge by bringing together a graph of the world's open source software with precise knowledge about the specific code responsible for public vulnerabilities. We then search your program — not just the ASCII source or metadata, but the actual program — for vulnerable open source functions.
Our robust Big Code approach provides superior accuracy with less noise — fewer false positives and negatives — even if you've modified the source code.
“More than 50% of public vulnerabilities are exploited within 4 weeks of being published.”
Continuous Monitoring & Curation
Our team of security analysts uses machine learning to continuously curate our vulnerability and remediation intelligence from a range of sources. We go far beyond CVE to include additional vulnerability databases, community mailing lists, product advisories, and commit logs.
Our platform knows exactly which open source is in your code and sends an immediate alert when new vulnerabilities are announced. (There's no need to rescan.)
Now you can always and confidently answer the question Is our open source secure?
Built for developers
Lexumo was built by developers, for developers. We plug into your existing build and ticketing systems to have you up and running in minutes.
Our analysis is fully automated — no hints, no tuning, no babysitting. And we don't just identify vulnerabilities, we also show you the code to fix them.
Vulnerabilities in CVE database. (Source: NVD)
Of successful exploit traffic is attributed to the top 10 CVEs. (Source: 2016 Verizon DBIR)
New open source vulnerabilities in 2015. (Source: IBM & VulnDB)