Deepfence open-sources ThreatMapper to seek out and rank software program vulnerabilities



Be a part of gaming leaders on-line at GamesBeat Summit Subsequent this upcoming November 9-10. Learn more about what comes next. 

Let the OSS Enterprise e-newsletter information your open supply journey! Sign up here.

Deepfence, a cloud-native security observability platform utilized by firms akin to Amyris, Flexport, and Harness, has open-sourced a instrument that robotically finds, maps, and ranks utility vulnerabilities throughout environments.

Based in 2017, Deepfence focuses mainly on defending cloud-native workloads, spanning serverless, Kubernetes, container, and multi-cloud deployments. With Kubernetes, for instance, firms can deploy Deepfence to investigate community visitors, file-system integrity, working processes, and extra, and it really works natively with managed Kubernetes companies together with OpenShift, Google GKE, and Amazon EKS.

Whereas Deepfence has at all times supplied an enterprise edition and a neighborhood incarnation generally known as ThreatMapper, the latter of those is being launched below an open supply license from tomorrow (October 14).

The announcement comes as software supply chain attacks explode, with “upstream” open supply elements usually within the firing line. Numerous organizations, from authorities businesses to firms, have been hit by targeted software supply chain attacks previously 12 months, main President Biden to issue an executive order outlining measures to fight the threats, whereas “massive tech” has also upped their investments in defending essential open supply software program.

Safe the software program provide chain

ThreatMapper primarily scans runtime environments for vulnerabilities throughout the software program provide chain, serving to firms to contextualize recognized threats and prioritize ones that want addressed most urgently.

At a time when many firms are “shifting left” when it comes to focusing their safety checks earlier within the growth (pre-deployment) course of, ThreatMapper acknowledges that vulnerabilities nonetheless very a lot exist in manufacturing software program, scanning proprietary and third-party (e.g. open supply) purposes and elements for vulnerabilities.

ThreatMapper is constructed on high of dozens of neighborhood feeds which can be utilized by different open source software security scanners on the market, together with the the Nationwide Vulnerability Database (NVD). It additionally funnels into databases from numerous distributors, working system distributions, language maintainers, and GitHub repositories.

Deepfence open-sources ThreatMapper to seek out and rank software program vulnerabilities

Above: ThreatMapper by Deepfence goes open supply

Deepfence initially launched ThreatMapper as a freemium, proprietary product final 12 months, and within the intervening months the corporate has labored with “early adopters” from the developer safety operations (DevSecOps) neighborhood to refine the product and make it totally open supply.

“ThreatMapper has been a studying expertise, as we thought-about how the know-how would evolve, the way it may very well be put to make use of, and what enterprise mannequin we’d put in place to maintain it,” Deepfence’s head of merchandise and neighborhood Owen Garrett informed VentureBeat. “Open-sourcing the know-how too early would have been a distraction and would have created exterior strain, whereas we iterated on completely different roadmaps and fashions.”

Whereas ThreatMapper will shortly be obtainable below an Apache 2.0 license, Deepfence can be renaming its business enterprise product as ThreatStryker, which is being transitioned right into a runtime menace mitigation product utilizing insights from ThreatMapper to mannequin the “evolution of refined assaults,” offering advance warnings of threats and taking actions to dam the supply of the assault and quarantine any workload that has been compromised.

Within the coming months, Deepfence can be planning emigrate a number of the current premium options over to the open supply venture, akin to deep packet inspection (DPI) for community visitors and community and useful resource anomaly detection. And it’s additionally getting ready to develop Deepfence into extra of a platform by launching APIs to allow builders to combine ThreatMapper insights into different apps.

“Experimenting in personal, with out open-sourcing the code too early, has allowed us to provide you with a neighborhood and enterprise mannequin that we consider will serve the neighborhood very nicely,” Garrett stated.


VentureBeat’s mission is to be a digital city sq. for technical decision-makers to realize data about transformative know-how and transact.

Our web site delivers important info on information applied sciences and methods to information you as you lead your organizations. We invite you to grow to be a member of our neighborhood, to entry:

  • up-to-date info on the topics of curiosity to you
  • our newsletters
  • gated thought-leader content material and discounted entry to our prized occasions, akin to Transform 2021: Learn More
  • networking options, and extra

Become a member




Please enter your comment!
Please enter your name here