financetom
Technology
financetom
/
Technology
/
Launch of NetRise Provenance Reveals Who and What Are Behind Open Source, And How Risk Propagates Through the Supply Chain
News World Market Environment Technology Personal Finance Politics Retail Business Economy Cryptocurrency Forex Stocks Market Commodities
Launch of NetRise Provenance Reveals Who and What Are Behind Open Source, And How Risk Propagates Through the Supply Chain
Mar 24, 2026 3:04 AM

Intelligence from millions of packages in thousands of repositories identifies contributors and maintainers who add risk, enabling better decision making among software developers and third-party risk teams.

AUSTIN, Texas, March 24, 2026 /PRNewswire/ -- NetRise®, the software supply chain security company that exists to eliminate blind trust in software, today announced the launch of NetRise Provenance, a new product that identifies risk associated with contributors to the open source components inside enterprise software and connected devices, and how far the risk associated with bad actors reaches across portfolios. Provenance adds a layer of trust and intelligence to the NetRise Platform, a deeper look into the Software Bill of Materials (SBOM).

For organizations that buy and operate software, NetRise Provenance adds a level of visibility into risk in the software supply chain that previously was opaque to procurement and third-party risk teams. Those teams now can see a variety of project health signals, including advisory relationships and how compromises propagate through dependency graphs, defining a blast radius from a malicious contributor.

For organizations that build and ship software, NetRise Provenance enables developers and product security teams to set policies to govern selection of open-source projects, automatically failing a build when dependencies cross a risk line.

"Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem," said Thomas Pace, co-founder and CEO of NetRise. "Bad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely-used packages. Enterprises then scramble to discover their exposure: When a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributor's code reaches."

NetRise Provenance is delivered as part of the NetRise Platform and through a developer friendly API, a command line interface (CLI), or github action. Key capabilities include:

Unified with NetRise's binary system of intelligence

Overlay trust and provenance data on top of NetRise's binary verified software asset inventory so buyers can connect who is behind a component with where it actually runs, how exploitable it is, and which products and devices need to be prioritized.Maintainer and organization attribution

Map open source components to real maintainers and organizations, including country or local level footprint, so teams can apply internal policy, regulatory requirements, and ensure OFAC compliance requirements are met.Policy engine

Feed SBOMs or container images into NetRise Provenance to enrich each package with advisories, contributor risk signals, and repository metadata. Apply simple policies that define what is unacceptable. Pass or fail exit codes let CI systems stop builds automatically when a dependency violates those rules, while reporting templates inform third-party risk and compliance teams.Blast radius and dependency analysis

Use dependency and reverse dependency views to see where a maintainer, project, or repository appears across products, services, and vendors, so teams can scope incidents, sanctions, and policy changes in minutes and communicate to executives and regulators real impact.Trust and hygiene indicators

Combine repository metadata, project policies, update cadence, advisory history, and other security practice indicators into an "at a glance" view that highlights projects with unusual behavior, making it easier to separate risky from healthy dependencies."Software supply chain compromises are beginning to follow a disturbing pattern," said Michael Scott, co-founder and CTO of NetRise. "A bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn't finding the compromise - it's answering 'where else does this person's code end up and ultimately run in my environment?' in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries - then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance makes it where you no longer rely on luck."

"Software supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects," said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. "Contributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies."

"NetRise started by revealing all components inside compiled software," added Pace. "With Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams, and increase resilience for third-party risk teams. This launch marks another milestone in NetRise's journey to a software trust platform that connects code, people, and policy in one place."

NetRise Provenance is available as part of the NetRise Platform for enterprises, software and device makers, consultancies, and public sector organizations, and via API and CLI for developers who want to bring software trust decisions closer to where code is assembled.

Resources

Meet NetRise: Request a meeting with our team in San Francisco for the RSA Conference 2026 from 3/24 - 3/26.Schedule a Demo: To learn more about the value that a software asset inventory brings to global enterprises and device manufacturers alike, see a demo of NetRise Provenance.To attend our RSAC 2026 events, please visit: https://www.netrise.io/company/events/netrise-at-rsac-2026For more information about NetRise Provenance, visit: https://www.netrise.io/products/provenance.For more information or to request a demonstration, visit netrise.io or contact [email protected].

About NetRise

NetRise is the software supply chain security company that exists to eliminate blind trust in software forever. By identifying every component in each binary image across firmware, kernels, operating systems, containers, and applications, NetRise exposes the full stack of inherited risk that source-based tools, vendor SBOMs, and questionnaires cannot see. Non-code related risk uncovered includes hidden dependencies, cryptographic artifacts, misconfigurations, secrets, among others. Global enterprises that produce and consume software, including government agencies, rely on NetRise to validate what they ship and what they run. When unforeseen software vulnerabilities are exploited by bad actors, NetRise answers the question, "where am I exposed?" enabling rapid identification, prioritization, mitigation, and policy updates, reducing material risk to the business.

Media Contact:

Danielle Ostrovsky

Hi-Touch PR

[email protected]

View original content to download multimedia:https://www.prnewswire.com/news-releases/launch-of-netrise-provenance-reveals-who-and-what-are-behind-open-source-and-how-risk-propagates-through-the-supply-chain-302718882.html

SOURCE NetRise

Comments
Welcome to financetom comments! Please keep conversations courteous and on-topic. To fosterproductive and respectful conversations, you may see comments from our Community Managers.
Sign up to post
Sort by
Show More Comments
Related Articles >
How Much Does It Really Cost To Complete Pokémon TCG's First Set?
How Much Does It Really Cost To Complete Pokémon TCG's First Set?
Nov 21, 2024
Nintendo ADR‘s (OTC:NTDOY) Pokémon TCG Pocket, a mobile game that combines the collectible card game experience with a free-to-play model, has made waves with its pricing structure. Gamer and Reddit user Weens4Life has shared how they spent $1,500 to complete the Genetic Apex set—a task that involved opening 1,741 booster packs to obtain all the cards, according to IGN. See...
China claims 'wipe-out' of large telecom fraud centres in northern Myanmar
China claims 'wipe-out' of large telecom fraud centres in northern Myanmar
Nov 21, 2024
BEIJING (Reuters) - China and Myanmar's law enforcement agencies have wiped out all large-scale telecom fraud centres operating in northern Myanmar, Chinese state media reported on Thursday, after an operation at the weekend saw more than 700 arrested. China launched a campaign last year to combat telecom fraud in Myanmar following a surge in crimes targeting Chinese citizens. Since then,...
Huawei To Reportedly Take On Nvidia With Mass Production Of New AI Chips By 2025 Amid US Restrictions
Huawei To Reportedly Take On Nvidia With Mass Production Of New AI Chips By 2025 Amid US Restrictions
Nov 21, 2024
Huawei Technologies Co., Ltd. is set to initiate mass production of its latest AI chip, the Ascend 910C, in early 2025, despite facing significant hurdles due to U.S. trade restrictions. What Happened: The Chinese telecom giant has already distributed samples of the Ascend 910C to various tech firms and begun accepting orders. The chip is designed to rival those from U.S. AI chipmaker Nvidia...
Spotlight on IBM: Analyzing the Surge in Options Activity
Spotlight on IBM: Analyzing the Surge in Options Activity
Nov 21, 2024
Deep-pocketed investors have adopted a bullish approach towards IBM ( IBM ) , and it's something market players shouldn't ignore. Our tracking of public options records at Benzinga unveiled this significant move today. The identity of these investors remains unknown, but such a substantial move in IBM ( IBM ) usually suggests something big is about to happen. We gleaned...
Copyright 2023-2026 - www.financetom.com All Rights Reserved