Bright Security’s Enterprise Grade Dev-Centric DAST Integrates with

Microsoft Defender for Cloud →
Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Aggregating SCA, SAST and DAST Vulnerability Results

Aggregating SCA, SAST and DAST Vulnerability Results

Oliver Moradov

DevOps looks to combine the culture, methodologies and tooling of both the software development and operations teams, so companies can deliver new application features at a much greater velocity. 

DevSecOps takes this a step further, integrating security into DevOps, shifting security testing left. Instead of developers being brought into the fold later in the process, developer focused security testing tools bridge the gap between engineering and security.

One of the key challenges when implementing DevSecOps is prioritizing which vulnerabilities need to be remediated first. This is especially true when using multiple Application & API security testing tools to provide full coverage.

Automation is key. Implementing application security testing into the CI/CD pipeline to detect and fix security vulnerabilities on each build, or every merge to master, delivers secure and compliant application changes rapidly, while running operations consistently with the automation.

It’s not a one size fits all, with different types of automated security testing tools required across the pipeline to ship secure applications and APIs, at speed. 

Identifying security vulnerabilities at various stages of the pipeline requires the integration of several tools. These include SCA (Software Composition Analysis), SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).

We previously discussed combining DAST with SCA from Checkmarx

Leveraging these tools is great, but aggregating the vulnerability findings can be a challenge. A ‘single pane of glass’ is often needed so that the engineering and security teams have the visibility they need. Indeed, combining SCA+SAST+DAST information can be very valuable for SIEM (Security Incident Event Management) correlation engines for example, where the vulnerability information can help in providing more accurate correlation and attack detection.

Example: Combining Checkmarx SAST & SCA and Bright’s DAST

Bright’s partner, Datastream, has integrated the Checkmarx SAST and SCA solutions and Bright’s DAST platform Bright, within their proprietary xDashy platform, where their clients across the financial, retail and e-commerce sectors are benefitting from this comprehensive testing and aggregated data.

Combining security testing on the code level (SAST), checking dependencies (SCA) whilst also being able to test the runtime application (DAST), delivers comprehensive security testing integrated across DevOps / CICD pipelines at multiple stages, into the hands of developers.

Our joint customers’ engineering and security teams get full visibility and can manage custom dashboards, define executive reports, metrics and KPIs that improve decision-making at both the executive and technical level, consolidating SAST, SCA and DAST results on a single screen. 

For example, SCA will identify security vulnerabilities in 3rd party dependencies, building the open source dependency trees for applications and mapping these against a database of known vulnerabilities. It then reports vulnerable open source that has been pulled into the application, to fix or patch accordingly.

Bright engine tests for vulnerabilities that come under the OWASP Top 10 and Mitre, leveraging thousands of payloads, to test both webapps and APIs. 

Bright is also the only DAST solution on the market that can scan for specific Business Logic Vulnerabilities, normally carried out by manual testing. 

Having these tests automated, as part of your development pipelines and included in your dashboard gives you the broadest picture of your cyber posture. Coupled with Bright’s automatic validation of every security finding, the DAST output delivers real time actionable results, with no false positives. 

If you are considering a DAST tool, be sure to read our blog on the Must-Have features of your DAST Tool.

Security teams can then understand the risk, prioritise remediation and coordinate with the engineering team accordingly.

Additionally, by combining the tools and aggregating the results, companies can establish a common risk identification framework through linking projects manually and by referencing vulnerabilities according to the CWE (Common Weakness Enumeration), Miter’s CVE and also categorized by the CVSS v3 score provided by Bright.

Engineering Security Testing Metrics

Being able to visualise and correlate data across projects, squads or teams is also invaluable. 

Bright has a comprehensive ‘Projects’ reporting functionality which can be used via the Bright app UI, or integrated with your SIEM or other reporting platform, as Datastream has integrated with their platform, xDashy. Users can filter the results by project, by execution date and compare the results over time, graphically presenting trends and showing a visualization of risk management. 

Having visibility of the most frequently recurring risks, or being able to drill down into which team or project is generating certain vulnerabilities, allows you to prioritise remediation as well as providing targeted training on secure coding.

This helps with capacity building for secure development as well as providing for analysis of the cost and time to remediate.

Whether you are looking at enhancing your current SAST and / or SCA scanning or just entering into the realm of security testing, using Bright’s DAST is really simple and can be used as a standalone scanner by the security team or integrated across your pipelines.

Whether testing your webapps or APIs (SOAP, REST, GraphQL), the results produced are organised in a developer friendly way and as a QA, can help establish a culture of security testing and let you champion security testing!

Go ahead and try it out! With our free account, you can get started today; get your account now – https://nexploit.app/signup

Resources

Domain Hijacking: How It Works and 6 Ways to Prevent It

What Is Domain Hijacking?  Domain hijacking refers to the unauthorized acquisition of a domain name by a third party, effectively taking control away from the rightful owner. This form of cyber attack can lead to significant disruptions, including loss of website functionality, email services, and potentially damaging the brand’s reputation.  Domain hijackers often exploit security

Mastering Vulnerability Management: A Comprehensive Guide

Modern day organizations face a constant barrage of cyber threats, making it imperative to implement robust vulnerability management processes. Vulnerability management is a systematic approach to identifying, evaluating, treating, and reporting on security vulnerabilities in systems and their associated software. In this blog post, we’ll delve into the four crucial steps of vulnerability management process

Vulnerability Scanners: 4 Key Features, Types, and How to Choose

A vulnerability scanner is a specialized software tool designed to assess the security of computers, networks, or applications by automatically detecting and analyzing weaknesses. These scanners proactively search for security vulnerabilities, such as unpatched software, misconfigurations, and other security gaps that could be exploited by attackers. Some scanners can simulate the actions of an attacker to help identify exploitable vulnerabilities.

Get our newsletter