At hexway we’ve decided not just to make penetration testing convenient but also to simplify vulnerability management processes. By the way, if you’re still unfamiliar with our products, we have a free pentest automation and reporting tool that saves quite a lot of time.
Back to the topic. What a wonderful world of Secure SDLC with an entire zoo of scanners existing: SAST, DAST, SCA, IaC, RASP, IAST, and so on… Not to mention these guys love abbreviations.
Straight to the point: We will release a friendly ASOC platform very soon. [FYI] ASOC stands for Application Security Orchestration and Correlation. It stores scan results from your security tools that you run in pipelines. Stay tuned, I’ll get back to this topic later.
Anyways, one of the troubles we’ve faced in developing our solution was parsers for scanner integrations. It’s not just about the changes in output files data structure in each new version but also a bunch of other minor issues all the time. F.e the version format of vulnerable libraries.
For a better understanding, let’s consider an example. Many scanners may alert you about Python certifi library vulnerability (CVE-2022–23491) even if you use the latest 2022.12.7 library version! This happens because the vulnerability report contains instructions on updating “the Certifi to 2022.12.07 version”.
Can you see the difference in the versions’ names? Scanners also find them different and alert users about the vulnerability.
Such problems generate false positives and consume a lot of time from security engineers as it requires analyzing and exploring them. As a result, this increases time-to-market for the company products and affects a team’s productivity.
The most important thing I wanted to share is that Hexway already took care of these problems for you not to. Our upcoming ASOC solution will allow you to comfortably implement vulnerability management in SSDLC without encountering mentioned (and many other) problems.
