Frequently Asked Questions
- Helping you quickly identify and eliminate open source vulnerabilities in your code.
- Ensuring you’re in compliance with open source licensing requirements.
Most of the world’s software is now assembled from reusable open source components such as OpenSSL — yet open source continues be a major source of risk:
- In 2015 alone, there were thousands of new vulnerabilities found in open source software (source: IBM).
- More than 50% of public vulnerabilities are exploited within 4 weeks of being published.
- Nearly 80% of containers are subject to critical open source vulnerabilities.
- The Community Health Systems breach was caused by the Heartbleed vulnerability (OpenSSL) in a network device, resulting in the theft of 4.5 million sensitive consumer records.
Unlike commercial products such as Microsoft Windows and Apple iOS, open source components are managed by an informal, decentralized community. There are no standard patching mechanisms and no single information source for tracking new public vulnerabilities such as Heartbleed. As a developer, you are responsible for ensuring your code is free of vulnerable components, both before and after it ships. Regulatory authorities are beginning to take notice. Manufacturing firm ASUS was sued by the FTC for failing “to take reasonable steps to secure the software for its routers” including performing vulnerability assessments to identify “well-known and reasonably foreseeable vulnerabilities.” In its settlement with the FTC, the manufacturer agreed to undergo third-party audits of its security practices for the next 20 years.
- A bill-of-materials showing exactly which open source components, versions and licenses are in your code.
- A risk dashboard showing all vulnerabilities affecting your code, with drill-downs showing which functions are vulnerable and why — even if you’ve modified a component.
- Detailed patching instructions at the line-of-code level, so you can quickly patch affected functions without the risk of breaking dependencies with a complete version upgrade.
- Immediate alerts whenever new vulnerabilities are discovered that affect your code (no rescanning required).
Lexumo’s automated service plugs into your existing workflows (Jenkins, JIRA, etc.) and constantly runs in the background without tuning or consultants. This enables you to ensure automated code security across your entire product lifecycle. (Your source code never leaves your network.)
Lexumo’s “Big Code” platform performs a continuous, Google-like indexed search of the world’s open source software and makes it semantically searchable for the first time, based on each program’s functionality rather than on its ASCII source code or binary representation. The result is a searchable graph of all the open source ever written, stored in a massively-scalable, AWS-based cloud stack. This enables our platform to accurately identify both vulnerable and patched components in your code — down to the sub-function level — even when the source has been modified.
Curate & Annotate
Using machine learning algorithms, our team of security analysts continuously curates our vulnerability and remediation intelligence. We monitor data sources beyond CVE, such as product advisories and mailing lists. We then crawl our graph of the world’s open source software and run analytics over every branch of every package to identify vulnerable code. We then annotate our graph with each vulnerability for each version of each component, along with patch and license information. The result is complete knowledge of publicly-disclosed vulnerabilities in open source software.
Lexumo searches our annotated graph for your code, precisely identifying all open source components and versions compiled into your product. Lexumo also reports on vulnerabilities and licenses for each component. And because our platform is based on indexed-search, newly-discovered vulnerabilities trigger an immediate alert when they apply to your code (no rescanning required).
By analyzing both safe and previously-vulnerable versions of code in open source repositories, Lexumo identifies exactly how the vulnerable code was fixed by the open source community. We then provide patch instructions so you can quickly fix your code without a full upgrade that can break other dependencies. We also tell you the minimum version required to eliminate the vulnerability, so you can upgrade at a later date. You can see a graphical representation of how Lexumo works here.
Architected for Security
Previous approaches were architected for license compliance — not security. License compliance requires only coarse detection of packages and licenses. It can be accomplished by simply searching the source code for package IDs or source code fingerprints. The big challenge is figuring out whether a new vulnerability affects your code — regardless of package ID or version. Lexumo was built from the ground-up to address this challenge.
Lexumo doesn't just find vulnerabilities, we also give you instructions to patch them. Built on a massively-scalable cloud stack, Lexumo uses patent-pending graph analytics and machine learning technology to precisely identify vulnerable components in your code — even if you’ve modified the component. And because we analyze the essential functionality of your code — rather than relying on superficial metadata about it — we won’t waste your time flagging a vulnerability if you haven’t compiled it into your product, or if you’ve already patched it. This radical new architecture eliminates the false positives and negatives of previous approaches, enabling development teams to ship and maintain secure code, faster.
Using automated crawlers, data science, and a team of security analysts, we continuously curate our vulnerability and remediation intelligence — over each version and branch of each open source project — to bring you immediate alerts whenever a new vulnerability is discovered that affects your code. As a result, we deliver ongoing guidance that's much more relevant and reliable than generic, community-owned databases like NVD.
Built for Developers
Lexumo was built by developers, for developers. We plug into your existing build and ticketing systems to have you up and running in minutes. Our analysis is fully automated — no hints, no tuning, no babysitting.
We are serious about maintaining the confidentiality of your data. Designed by world-class security experts, our security model is an end-to-end process with the following high-level characteristics:
- None of your source code ever leaves your network.
- You can exclude (blacklist) any build directories containing proprietary code.
- You can fully audit exactly what artifacts will be uploaded, before uploading.
- All communication with our platform is via secure FTP using your public key for encryption.
- We have an extensive back-end security architecture including 2-factor authentication for user logins, multi-factor authentication for admins, role-based access control (RBAC), etc.
- Our servers are located in AWS which is SOC-3 certified and provides multiple layers of both logical security (Virtual Private Cloud) and physical security. Many of the most data-sensitive organizations in the world, including Capital One, FINRA, and NASDAQ, now use AWS as their secure and elastic cloud infrastructure. It is widely-accepted that AWS’ public cloud enables organizations to operate more securely than they can in their own data centers.
- Your IP is legally protected under the terms of our contract.
- Sign-Up for our free code audit. Lexumo will analyze any one of your products or projects at no cost. Setup takes just a few minutes.
- Access: Install our lightweight plug-in on your build server to submit code artifacts to our analysis platform. Your existing build process and tools are unchanged (and your source code never leaves your network).
- Analyze: Lexumo’s automated service does the heavy lifting, continuously analyzing the open source in your product using graph analytics and machine learning to generate detailed reports with actionable risk and remediation information.
- Resolve: Lexumo provides detailed patch information at the line of code level, so you can rapidly eliminate vulnerabilities without breaking other dependencies.
- Alert: Lexumo continuously mines the world's open source product advisories, mailing lists and commit logs, providing you with immediate alerts whenever new vulnerabilities are discovered that affect your code.