We’re excited to share that FOSSA has acquired EdgeBit, a pioneer in dependency and security updates using static analysis. We welcome the EdgeBit team and customers into the FOSSA family. This is a big step in our mission to evolve software supply chain management from a world of scanning and triage to one of fixing and automation.
The Software Supply Chain Has Outpaced Our Systems
Software is becoming obsolete at unprecedented speed. New releases, patterns, and vulnerabilities are emerging nonstop, and coding agents are amplifying the pace even further.
Outdated software isn’t just a maintenance headache — it’s the largest source of vulnerabilities, compliance issues, and a major contributor to technical debt. Because ecosystems evolve so quickly, falling behind on updates means missing emerging best practices, compounding compatibility debt or exposing a codebase to malware — in fact 75% of new CVEs are exploited within only 19 days. For modern development teams, update programs need to evolve to move as quickly as the ecosystem does.
Updates Are Leverage
Scanners play a crucial role in helping us identify issues in our software supply chain. However, today we as teams are overly reliant on the scan-triage-fix workflow. At scale, this leads to human capacity invested in wasted / inefficient effort — chasing false positives, responding to fire drills, or reacting too late.
At FOSSA, we’ve been collaborating intensely with our customers on a common problem: too many alerts, not enough fixing. While we can build tools to filter alerts and even automate parts of the engineering work to triage and fix, ultimately investing development time toward handling alerts is low leverage. Instead, we should ask ourselves why our software’s surface area is so unmaintained in the first place.
If we’re successful in giving teams more capacity, we need to invest it wisely — and our view is that the most powerful place to put it is in prevention: continuously cleaning up our surface area so that we holistically shrink what we need to manage with the scan-triage-fix workflow:
We believe proactive dependency updates are one of the most powerful ways to invest this capacity, and we are excited to partner with our customers to help them scale these programs.
Evolving from Scanning to Updating
Ultimately, the only way to properly maintain our supply chains is to get developers to commit time to dependency updates. However, updates aren’t simple chores — they can be just as complex, expensive, and strategic as any other senior engineering task. Many demand careful planning around code impact, refactoring, and sequencing. Even triaging an update can require days of research.
Solving this challenge won’t come from improving triage — it will come from fundamentally increasing the capacity of engineering teams to prioritize and perform effective updates, safely. Our systems must evolve to model the tradeoffs that exist in making updates, introduce reasoning into the process, and treat them as the complex engineering tasks they truly are.
Unfortunately, today this seems like an impossible bottleneck. In many teams it’s culturally difficult to allocate time to maintenance work, and the existing scanning tools focus more on generating work to do rather than help teams perform it. While more advanced techniques like reachability and static analysis have emerged, they still function more as a noise filter rather than help automate the real engineering work involved in updates.
Thus, if we want to solve this problem, we can’t just build better filters. We need new technology that actually can plan and execute on complete engineering tasks — not create more.
Welcoming EdgeBit
We believe our mission of “increasing engineering capacity to shrink your surface area” is an ambitious feat that requires new technology, new product concepts, and new applications.
EdgeBit has spent years building exactly this kind of technology. They’ve assembled a world class team to develop novel static analysis and automate real engineering work through integration with AI -- rooted in solving hard computer science problems.
Over the past few months, we’ve been working closely with them to integrate this technology into a new product, and the results have been exceptional. Within our own team, agents have outperformed our internal developers consistently on triage, and are now leveraged to perform the majority of updates.
In the coming week, we will be excited to share some more news about what we’ve been working on, how we’re building it, and what our vision is.
For a sneak peek, you can check out EdgeBit Founder and CEO (and now FOSSA Head of R&D) Rob Szumski’s blog on rewriting an NPM package’s semver based on breaking changes.