In Application Security and, recently ASPM, Reachability analysis has become crucial too and a new way to reduce the load of vulnerabilities in vulnerability management. Recent articles from James Berthoty have highlighted why this matters https://pulse.latio.tech/p/reachability-matters-13, but also the confusion around the various types of recheability analysis techniques. This article aims to explain the various types of reachability analysis and how they can interact with each other 

As organizations build complex applications that rely on open-source libraries and containerized environments, traditional security approaches often produce overwhelming amounts of alerts—many of which do not pose real risk. Reachability analysis offers a refined approach by prioritizing vulnerabilities that are actively exploitable, helping security teams focus on what truly matters.

We will also focus on how to use contextual deduplication and contextual Cyber threat intelligence to prioritize and turn off the vulnerabilities that are not meant to be. 

This guide dives deep into reachability analysis, covering its application in code reachability analysis, container reachability analysis, and how Phoenix Security is leading the way in Application Security Posture Management (ASPM). You’ll learn how this technique, combined with contextual risk formulas and deduplication, enhances vulnerability management for modern software ecosystems.

What is Reachability Analysis in the context of ASPM?

Reachability analysis is a process used to determine whether a vulnerability in code, libraries, or containers is actually exploitable in a given environment. By analyzing if vulnerable code paths are reachable during runtime or in application execution, this method helps teams focus on vulnerabilities that pose actual risk, filtering out irrelevant issues and reducing noise.

The analysis comes in various forms, each of which is crucial for comprehensive vulnerability management:

• Code Reachability Analysis: Determines whether vulnerabilities in a codebase can be triggered during execution.

• Library Reachability Analysis: Identifies if vulnerable components within third-party libraries are actively being used in the application runtime.

• Container Reachability Analysis: Assesses whether containerized applications utilize vulnerable packages during runtime.

Are you interested in a more reachable ASPM analysis? Check out the talk :

Code Reachability Analysis: Prioritizing Critical Code Vulnerabilities and how Contextual ASPM helps

In modern software development, code reachability analysis has become essential for securing the software development lifecycle (SDLC). Traditional scanning tools such as static application security testing (SAST) may generate numerous alerts, many of which are not exploitable. This is where code reachability analysis adds value by assessing whether the vulnerable code paths are ever executed during runtime.

For example, a critical vulnerability may exist within a third-party package, but if the application never calls the vulnerable function, the risk is minimal. Code reachability analysis filters out these cases, reducing false positives and helping developers focus on the vulnerabilities that matter. This makes it easier for security teams to prioritize and address risks based on actual usage in the application, improving vulnerability management processes.

The following slide comes from one of the recent talk given at OWASP global application security in San Francisco (slides available here)

Container Reachability Analysis: Securing Containerized Environments

As organizations adopt containerized environments with platforms like Docker and Kubernetes, container reachability analysis has emerged as a key component of modern security practices. Containers bundle application code with all dependencies, including operating system components and libraries, which can introduce vulnerabilities.

Traditional scanning tools might detect these vulnerabilities, but without understanding, if the application actually uses the vulnerable component, security teams can waste time chasing irrelevant risks. Container reachability analysis helps determine whether vulnerable packages within the container are executed at runtime, refining the focus of vulnerability management.

For example, a container may include a vulnerable Linux package, but if that package is never executed, the risk is much lower. This analysis filters out vulnerabilities that do not pose a real threat, allowing teams to focus on those that are actively being utilized by the running containerized application.

Phoenix Security’s Advanced Reachability Analysis for ASPM

Phoenix Security has revolutionized Application Security Posture Management (ASPM) by introducing advanced reachability analysis capabilities. Phoenix enhances traditional vulnerability scanning by introducing static and runtime reachability analysis and powerful contextual deduplication to provide precise vulnerability prioritization.

Static and Runtime Reachability Analysis

Phoenix Security employs two levels of reachability analysis:

1. Static Reachability Analysis: This scans the codebase for loaded vulnerable libraries, even if they are not actively in use. It gives security teams an overview of potential risks in the code and allows them to assess whether vulnerabilities may become exploitable.

2. Runtime Reachability Analysis: This assessment of the running application environment focuses on vulnerabilities that are actively being executed. This type of reachability analysis is especially useful for container reachability analysis, as it helps determine whether containerized applications are using vulnerable components during runtime.

By combining static and runtime analysis, Phoenix Security ensures that security teams have a complete view of their threat landscape, enabling smarter, more focused remediation efforts.

Contextual Deduplication: Reducing Vulnerability Noise

One of the biggest challenges in vulnerability management is dealing with duplicate vulnerability alerts that often arise across different environments. Phoenix Security’s contextual deduplication feature removes duplicated vulnerabilities by considering the context across the entire SDLC, including codebases, containers, and cloud environments.

For instance, a vulnerability in both the codebase and container might be reported twice in traditional tools. Phoenix Security consolidates these duplicate alerts into a single, actionable vulnerability, reducing noise and enabling teams to focus on real threats.

By leveraging contextual deduplication, Phoenix Security helps reduce vulnerability noise by up to 95%, allowing security teams to focus on real-world exploitable risks that need immediate attention.

Prioritization and Risk Management with Reachability Analysis

Phoenix Security’s reachability analysis significantly enhances vulnerability management by prioritizing risks based on their potential exploitation. Traditional methods often rely on broad CVSS scores or EPSS (Exploit Prediction Scoring System) to gauge risk, but these methods do not account for whether the vulnerability is actively used in your environment.

Reachability analysis adds critical context by asking, “Is this vulnerability reachable or in use in my application?” By focusing on real-world exploitation potential, Phoenix ensures that vulnerabilities are prioritized based on actual usage rather than theoretical exposure.

Phoenix Security’s 4D Contextual Risk Formula

Phoenix utilizes a simple structure of probability of exploitation, base severity, and impact analysis

Phoenix Security’s 4D contextual risk formula goes beyond traditional vulnerability scoring by considering multiple factors:

1. Vulnerability Severity: How critical is the vulnerability
2. Dynamic Reachability: Is the vulnerability actively exploitable in the application environment, is the vulnerability weaponized and automatically utilized in the wild to launch large-scale attacks 
3. Threat Intelligence: Are there active exploits for this vulnerability in the wild, is there evidence of exploitation
4. Contextual Data: What is the context of the application’s environment, how external are the assets where the application is deployed, and how impactful are the aggregated application

Contextual Reachability AI: Phoenix adopts contextual reachability analysis to reduce the number of vulnerabilities and transfer the contextual risk when a library is used in production. 

Business Impact and Damage calculation: How much damage can an organization suffer if the vulnerabilities are exploited? 

By correlating these four dimensions, Phoenix Security offers a more nuanced risk score, allowing for smarter, more targeted vulnerability management.

Those prioritization concepts are also explained in the book: https://phoenix.security/whitepapers-resources/ebook-aspm-programs-appsec/ 

Phoenix Security Reachability and EPSS: A Powerful Combination

Phoenix Security integrates EPSS with reachability analysis to provide a comprehensive approach to risk-based prioritization. While EPSS offers a global view of the likelihood of a vulnerability being exploited, reachability analysis adds local context by determining whether the vulnerability is actually in use in your application.

This dual approach ensures that security teams can prioritize vulnerabilities based on global trends and specific environmental risks. It helps teams focus on the most critical issues, enabling more effective remediation and faster security risk reduction.

Conclusion: The Future of Vulnerability Management with Reachability Analysis

In an era where security teams are overwhelmed by vulnerability alerts, reachability analysis offers a smarter, more focused approach to vulnerability management. Whether you’re dealing with vulnerabilities in code, libraries, or containerized environments, reachability analysis helps to filter out the noise and prioritize the vulnerabilities that truly matter.

Phoenix Security’s advanced Application Security Posture Management (ASPM) platform, with its integrated reachability analysis, contextual deduplication, and 4D risk formula, sets a new standard for vulnerability management. By combining these innovations, Phoenix empowers security teams to manage risk more effectively, focus on exploitable vulnerabilities, and reduce overall security noise by up to 95%.

With Phoenix Security, you’re not just finding vulnerabilities—you’re finding the ones that matter.

For more information on how Phoenix Security’s reachability analysis can enhance your security posture, visit our website or contact us today.

Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM powered by AI-based Reachability Analysis

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues.

Why do people talk about Phoenix?

• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

• Contextual Deduplication with reachability analysis: Utilizing canary token-based traceability for network reachability and static and dynamic runtime reachability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.