Posts Tagged ‘Application Vulnerability Correlation’


From the past 5 years, we see the vulnerability management solution incorporate innovation and best practice technologies from endpoint (capable to base on vulnerability scan result to enforce endpoint firewall blocking and local agent for vulnerability scanning), related with patch management (simplify the remediation for major supported platform vulnerability patching), importing vulnerability scanning result into penetration testing (pentest) tool for exploit verification, rise of interest for static application security testing (SAST), rise of cloud scanner, capability to integrated with web application firewall (WAF), merging of vulnerability scanning and configuration auditing.

For the coming years, for sure we will look forward for the enterprise dashboard consolidate all the respective vulnerability scanners from network, application, database scanners etc to provide unified application vulnerability correlation (AVC).

As the vulnerability management solution keep growing and matured, the price point will continue to drop, since more and more players from different industry will start come in and provide “me-too” solution. At the same time, open source alternative continue to advance and counter the rising price point from those solution, typical balancing act for the market demand and supply.

For the coming years, we will expect specialised scanners functionality will be further incorporate inside generic scanners. The market for truly specialised tool will notice for the market shrink, and most probably take over by those generic and larger players.

In the end, the market will divide into two end, those who continue to use the specialise scanners to get things done, but with set of different scanners (mostly named as professional users); and rise of enterprise grade vulnerability management with range of module /option for turn on and perform those advance feature. It like the Unified Threat Management (UTM) trend for the firewall market.

How many option and module can be provide by the player will be important buying criteria, with the overall lower total cost of ownership.

Mobile app security testing, mobile phone vulnerability will be one of the area attract the attention, a option most of modern enterprise interest to have and to perform deep mobile application security testing, since most of the Internet traffic will come from mobile device, and app inside the mobile.

For customer new to this solution market or have requirement in hand, feel free to contact E-SPIN solution consultant base on your project/requirement in hand.

Read Full Post »


Application Security Testing got three core set of technology vendor, whether focus on Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) or Interactive Application Security Testing (IAST) as the solution for target user group.

So far nope of any vendor can claim single product can address three core result area, the most is want you to buy sister product or complementary product (so, it is not single product).

To be specific, the topic focus on Static Application Security Testing (SAST), where heavy use by Development Team.

The market have range of offering, whether open source or commercial source offering. Since open source is depend on the user for adopt to it and for self /community support, we focus our topic on commercial tool, since they are paid tool and involved financial investment, we want to share some insight how to choose Static Application Security Testing (SAST) tool.

Despite recent years have more and more security team personnel is interest on the SAST, most of them lack one pre condition competency to master it well – the fundamental programming skill set, whether on Java, C/C++, .Net and the rest.

The great tool appreciate by programmer and developer, may or may not be the right tool for security officer, mainly due to core competency require to understanding the programming code. If you do not understanding the code, how can you study it and attempt to perform secure code review? purely depend on the automated tool and not programming language at all? you can imagine how the report will look like and whether or not can be answer developer question on the report founding.

As you can see, despite now days more and more commercial vendor attempt to market their product cross platform, can cover all the language, you will notice, truly development team will not really excite about it, since they are practice the one or very platform technology only. If you ask them to buy SAST tool claim to support 10 language, it will be nice to have, if that not their money. But in reality, they are maybe just focus on one platform only, in that scenario, specific SAST focus on platform will be more relevance and more importantly, cost much lower and more to the point platform support. It is much more easy to understand and use as well.

Do not get us wrong, we do not against universal static application security testing tool, it have it appeal market, in the matter of fact, we supply it too for some segment of the customers. We are focus on the perspective for development team, who need to use the development tool for not just static code analysis, but perform functionality, load, run time memory error testing as well to make sure the quality of the application, beyond application security testing only.

Once you develop the right perspective, you will much more easy to balance security and development team requirement. On top of it, remember for the rise of application vulnerability correlation (AVC) technology. Security team can keep using their dynamic application security testing tool (DAST), and let development team use their platform specific and more advanced static application security testing tool (SAST). Share the result in the Application Vulnerability Correlation (AVC) platform, dashboard and report to provide unified vulnerability management for the holistic view.

Another more costly and convention approach is invested on the enterprise grade solution, cover end to end and force all users to use the integrated solution.

Technology keep advancing in fast pace, you will notice those purpose built or platform specific tool will be update and upgrade in more fast speed compare with integrated tools.

One last area most of enterprise will forgot to invest on is the secure code review competency training for developer or security officer. It need to be competency specific and may not be product specific. One of the best way to acquire it is to subscribe for the computer based interactive training (CBT) that specific develop for the target competency area, such as secure code review for .Net, C/C++, Java and the rest.

If you have case specific question please feel free to contact E-SPIN for your case and requirement.  Whether on the dynamic or static application security testing tool or security testing, secure code review competency based CBT training program.

Read Full Post »


Application Vulnerability Correlation (AVC) by E-SPIN

Application Vulnerability Correlation (AVC) stand for application security workflow and process management tools that aim to streamline software development life cycle (SDLC) application vulnerability remediation by incorporating findings from a variety of security-testing data sources into a centralized tool.

It is particular useful for provide “unified” len and perspective for both developer team and application security team (who perform application security audit and pentest) in communicate application vulnerability in the unified manner. It allow Dynamic Application Security Testing (DAST) vulnerability results scan, found and detect by security team import into application vulnerability correlation (AVC) system. Developer team import their application vulnerability scan, found and detect result into AVC for sharing and communicating with security team.

The benefits? Create a consolidated unified view of your applications vulnerabilities, AVC tools accelerate the remediation of vulnerable apps by fully automating the flow of app vulnerabilities between testing tools, centralized application security functions. This workflow automation is even more important with trend toward DevOps, Continuous Integration (CI), and Continuous Deployment (CD) adoption.

Settling on a common term (Application Vulnerability Correlation) provides common language between buyers and sellers that drives more efficient adoption of new technologies.

We will see the rise of AVC or changing terminology, but refer to the same matter in the coming time.

E-SPIN provide both dynamic application security testing (DAST), static application security testing (SAST), interactive application security testing (IAST), penetration testing, network, wireless, database, mobile app and enterprise vulnerability management solution for the enterprise and government customers, whether for national deployment facility or multi countries/regional or global vulnerability assessment center, cyber security lab, for those who are interest on the rising AVC, as part of our unified vulnerability management solution, please feel free to contact our consultant for the subject matters.

Read Full Post »