Finishing the important triad in software safety testing, Invicti is including complete SCA to its present SAST and industry-leading DAST capabilities. By way of its strategic partnership with Mend, Invicti can now provide world-class static SCA on its AppSec platform, enhancing its present DAST-based supply-chain safety capabilities of dynamic SCA and net tech stack evaluation.
To supply a number of layers of element safety checking, Mend SCA on the Invicti platform operates each on the code degree and the container degree. Code and container SCA outcomes are reported inside a unified platform and interface alongside DAST, SAST, IAST, and API Safety outcomes for optimum protection with centralized visibility.
Provide-chain safety from the in and out
Widespread reliance on open-source software program elements has made software program composition evaluation (SCA) an important a part of any software safety toolkit, however getting usable outcomes requires greater than merely figuring out elements with identified vulnerabilities. For a few years, Invicti has offered dynamic SCA mixed with outdated know-how detection as a part of its DAST resolution. This dynamic strategy has the benefit of significantly slicing down on false alarms by offering a runtime perception into safety gaps which can be truly externally accessible, however it’s restricted to elements which can be in use throughout evaluation.
Typical static SCA, however, operates already in improvement and also can cowl elements that aren’t at the moment getting used at runtime. This maximizes protection however at the price of potential additional noise if a flagged element is rarely referred to as in any respect and thus will not be a precedence to repair—to not point out the danger of a flood of false positives from low-quality instruments. Invicti’s strategic partnership with Mend combines one of the best options of static and dynamic element evaluation on a single AppSec platform to ship extra actionable outcomes than static SCA alone with broader protection than dynamic SCA alone.
Invicti’s DAST-based strategy to supply-chain safety has all the time mixed a number of avenues of vulnerability testing. To start out with, all operating elements are subjected to the identical safety checks as the whole app to establish weaknesses that might permit for assaults like SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and lots of extra, together with bespoke safety checks associated to particular high-impact CVEs. On the identical time, software elements are fingerprinted and checked towards identified CVEs in our vulnerability database, in impact performing dynamic SCA. Tech stack elements are additionally detected and flagged if weak or outdated, including one more layer of safety.
Invicti’s dynamic SCA is efficiently utilized by hundreds of corporations worldwide to get a practical view of their element safety within the broader AppSec context. Add to that static SCA powered by Mend and you’ve got a static+dynamic combo that offers prospects distinctive composition evaluation insights from the in and out—consider it as SAST+DAST however particularly for elements.
Homing in on pre-packaged elements with Container Safety
Working providers, purposes, and even complete tech stack elements in containers is now the norm for cloud-based software program improvement and operations. Containers add scalability, flexibility, and comfort to software deployments—however at the price of added complexity and opacity which will obscure safety points. In the identical manner as pre-built software program libraries and modules are the elements from which purposes are assembled, containers are the elements that make up complete software environments.
Particularly at scale, you received’t all the time know every part that goes into every container, simply as you received’t all the time know each single piece of code that contributes to your codebase. In each circumstances, the technology-agnostic nature of DAST makes it the go-to strategy for guaranteeing you’re testing your precise assault floor, no matter how a particular software or service is written or deployed. In different phrases, if it runs, you may check it for vulnerabilities with out realizing or caring what’s happening inside, and Invicti prospects have been efficiently doing that for years throughout their complete software environments.
Container Safety powered by Mend enhances dynamic testing on the Invicti platform with static evaluation of container elements. Whereas a DAST scan can discover vulnerabilities as soon as a particular container is operating, Container Safety can establish and flag weak containerized elements already throughout improvement, slicing down on the variety of downstream safety points. Devoted container testing additionally helps you keep away from duplicating vulnerabilities later when one weak container is instantiated and examined throughout a number of purposes.
One platform for dynamic and static testing of code, elements, and containers
Invicti’s DAST-based platform already covers lots of floor with its personal DAST, IAST, API Safety, dynamic SCA, and 50+ workflow integrations, offering CISOs with most visibility whereas additionally offering builders with actionable vulnerability studies. By way of our strategic partnership with Mend, we add static evaluation on a number of ranges to ship extra details about extra vulnerabilities on a single platform:
- Invicti’s DAST and IAST instruments check operating apps whereas SAST powered by Mend analyzes their supply code.
- Invicti’s dynamic SCA and know-how detection options flag weak libraries, frameworks, and tech stack elements in operating apps whereas static SCA powered by Mend checks all code-level elements, whether or not they’re loaded or not.
- Invicti DAST not directly scans containers by testing containerized apps and providers whereas Container Safety powered by Mend instantly checks containers for weak elements.
Once you mix black-box and white-box testing in a single place and one centralized view, you notice there is no such thing as a field—there may be solely AppSec. And also you’re in management.
