-
Product
- Resources
- DAST
- Application Security Testing
- Penetration Testing
- Vulnerability Management
Guide to DAST (Dynamic Application Security Testing)
Your primer for application security testing.
We explain the concept of penetration testing.
Comprehensive overview of vulnerability management.
- DevSecOps
- API Security
- Unit Testing
- Fuzzing
All the necessary knowledge to get started with DevSecOps
We take a deeper look into securing & protecting your APIs!
All you need to know about keys of unit testing & best practices.
We explore fuzzing and evaluate if it's the next big thing in cybersec.
- DAST
- Partners
- Contact
Dev-centric
Web Application Security
Product Frequently Asked Questions
Check here for commonly asked questions and their corresponding answers, designed to provide quick and easily accessible information to users on various aspects of a Bright’s leading DAST solution.
Overview
Competition
Technical Capabilities
Is Bright on the Gartner magic quadrant and if so, what quadrant?
There is no Gartner report/category for Dynamic Application Security Testing (DAST) specifically. They have an Application Security Testing MQ but it only lists companies with 2+ Application Security Testing product categories.
Is there CI/CD pipeline integration? Is this only for API testing?
We test both Web Apps and APIs and also integrate into your existing CI/CD worklflow.
How does your pricing work?
Based on the number of concurrent parallel scans.
What kind of organizations use Bright's DAST today?
Almost every organization that performs internal development of WebApps & APIs - and mostly if they have automation process as part of the development flow.
How do you compare to Veracode?
Veracode is primarily a Static Code analysis security product (SAST). They do have a DAST component but it is a weak one in terms of: vulnerability coverage (Bright scans for over 9,000 vulnerabilities vs. less than 3000 for Veracode). Bright is Automated and can therefore run scans much more frequently. Veracode DAST has very FP rates + is difficult to setup and operate (especially as part of CICD pipeline).
How do you compare to Checkmarx?
Checkmarx is a SAST provider - they started to do DAST in May 2023 but all it is a zap (open source) wrapper, not true DAST, not good for enterprise where security is a priority. They are largely unproven in the DAST space. Weak reporting and they provide little feedback to the user about issues that are affecting the quality of the DAST scan.
How do you compare to Checkpoint?
Checkpoint doesn't have a DAST solution (they are mostly a firewall company). They have other products but none of them is a Dynamic Application Security Testing solution.
Is your product competitive with ACUNETIX?
Superior concurrent licensing model and proof of vulnerability, with fast remediation. Accunetix is very limited in scanning APIs. We have an IDE developer framework plug in which allows developers to test during the “free time” of dev cycle on their development environment… which would actually precede the unit tests “left-wise” basically the point when a developer makes an official request that their dev code be merged/pulled from their local dev environment back into a branch of code that is shared line of development… whether that is a QA branch, a pre-prod branch… or however that is arranged…)
How do you compare to Invicti?
Too many false-positives, authentication configuration complexity, No API schema scan support, commercial limitations (how many targets, how many URLs/subdomais/APIs etc.)
How do you compare to Stackhawk?
They are based on ZAP open source scan engine, No business logic attacks, AO configuration complexities
What types of attacks do you scan for?
OWASP TOP 10, MITRE 25, Business logic attacks, almost all OWASP API TOP 10 - more then 10K payloads
How is Bright's DAST dev-centric?
Supporting scans in the early stages of development (i.g CI/CD, IDE) integrating with pipelines and ticketing systems.
Do you scan for OWASP Top 10 vulnerabilities?
Yes. We have several scan templates including for OWASP Top10 & OWASP Top 10 API vulnerabilities.
How do you help remediate the discovered vulnerabilities?
Detailed best practice instructions including the requests & responses + examples how to senitize and validate the inputs by the developers.
What ticketing systems does Bright integrate with?
Out of the box integrations for JIRA, ServiceNow and Azure Boards. Using the Bright API it is possible to send data to any other ticketing system thgouth API calls.
What are Bright's reporting capaibilities?
Bright offers configurable reports (in terms of content) and customization (logo, company name etc.). Reports are available in PDF, CSV, JSON and SARIF.
How do you help organizations Shift Left?
Supporting scans in the early stages of development (i.g CI/CD, IDE) integrating with pipelines and ticketing systems.