by Phylum’s proactive approach to analyzing the risk inherent within the software supply chain is built from years of research and observation.
Instead of taking a retrospective approach by analyzing incidents after they occur, Phylum starts by consuming all available information about open-source packages and structuring the data in a consistent format for analysis. Layers of analytics, heuristics and ML models then comb through the data to find risk indicators. Deductive analysis is then applied to account for the entire context around each indicator, and identified risks are prioritized based on the risk tolerance criteria set by the organization.
This allows Phylum to effectively surface and prioritize meaningful issues before an incident occurs, in a manner that doesn’t overwhelm security teams. These risks can then be addressed before leading to compromise, outages, service degradation at runtime or legal liability.
Provenance-Based Risk Approach
To truly mitigate the risk of using open-source software, organizations must continuously analyze all packages published into the numerous ecosystems, in real time and at scale. The open-source ecosystem continues to grow at an increasing rate, but, how do you know what code to trust and why?
At Phylum, we first apply our U.S. Intelligence roots to answer two main questions through an adversarial lens:
- How could I gain access to this package?
- What are the types of impact that could be applied?
Then, we leverage our practitioner experience to answer the following:
- Is this a reasonable component to use?
- What are the technical feasibility risks associated with utilizing it?
