Reachability and Exploitability


            How to cut through the noise in modern AppSec

            By Julia Lorenz, Solutions Manager at Xygeni


            Software today is built at a speed and scale we’ve never seen before. Teams release updates weekly,
            sometimes daily, and they rarely start from scratch. Instead, modern applications are assembled like an
            intricate puzzle, part custom-built code, part open-source components, and part third-party packages
            pulled from public repositories.

            This approach powers innovation, but it comes with a hidden cost: you’re not just shipping your code;
            you’re shipping the security risks of everyone else’s code too. The vulnerabilities of that open-source
            library you grabbed last year? They’re your vulnerabilities now.


            To manage this, most organizations rely on Software Composition Analysis (SCA) tools. These tools
            scan  your  codebase,  identify  all  your  dependencies,  and  compare  them  against  public  vulnerability
            databases such as the National Vulnerability Database (NVD). In theory, that should give you a clear
            picture of where you’re exposed.





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          253
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.