Application SecurityProduct

Vulnerability Management – SAST & DAST Tools

At CONVISO we aim at quality and coding security.

For this we look for better practices to complete all of our services with great effort. 

Therefore we defend that good testing, not only code review but also intrusion test, for instance, must have a direct participation of an expert analyst having a deep understand.

This thought sometimes is misunderstood by clients and by the market, due to believing that because we have this posture we don’t need or don’t agree with the use of tools..

This is a misconception, what we understand is that a tool no matter how good it might be, can’t be compared to a person who is well prepared and experienced in what he is doing.

However, this does not mean that we do not use tools to assist in our testing. Tools are very important within a development process and we always advocate their use wherever and whenever needed.

In one of our articles we have showed our ideas on the use of tools and their comparison to the execution of a code review analysis. 

In this article we will show that SAST and DAST tools may work together with analysts and thus bring much more interesting results to a project.

But we do not believe in using the tool exclusively as a magic solution.

The use of SAST & DAST tools

We understand that both SAST and DAST tools should receive their deserved attention within the secure development process, and for this our Conviso Platform is designed to integrate with both SAST and DAST tools. Conviso Platform is a fully thought-out platform prepared to receive the report generated by the tools and ensure that all identified vulnerabilities are managed in your remediation process.

Vulnerability Management

By centralizing its output on a platform focused on managing the vulnerability remediation process, the company gains more control and can ensure that the entire remediation flow is performed following industry best practices.

Some examples of tools that we have integrated into our platform are: Veracode, Checkmarx, Fortify and Sonarqube, among others.

Also, with our API we can guarantee the integration with all tools that allow this kind of communication.

All information in only one place 

In addition to being built to ensure the best way to manage the vulnerability remediation process, Conviso Platform is solidly based on the experience gained from each of the analyzes already done.

The platform delivers to managers, among its many, two important features in the secure development process.

The first is to enable management of identified vulnerabilities by the SAST and DAST tools making their remediation a structured and traceable process.

The second is the possibility of recording all the knowledge acquired during the process of identification and correction of vulnerabilities.

Through its dashboard gives the manager and teams a centralized view of their vulnerabilities and the status of their analysis, ensuring control over the level of risk.

Go beyond review

We believe that ensuring code security is much more than just revising it.

We need to ensure that identified vulnerabilities are properly addressed and that the knowledge gained in the process is maintained.

Ensuring the security of a code is a process, and as such should always be validated and monitored because as Robert Kaplan and David Norton said, we know “what is not measured is not managed”.

Using Conviso Platform, relevant information about the security of your code is presented in a way to ease your decision-making process.

And you, do you know for sure how secure your code really is?

New call-to-action
About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application SecurityCode Fighters

How to integrate Semgrep on CI/CD's and send findings to Conviso Platform

Nowadays a very common practice is to integrate security scans during the continuous integration and…
Read more
Application Security

Negative Impacts Generated by Lack of Logs and Security Monitoring

Logs are records of activities also generated by systems, applications, and network devices. They…
Read more
Application Security

Dockers and Containers

Containers are incredibly popular solutions in the software development industry. They provide an…
Read more

Deixe um comentário