Technical Snapshot

  • Multistage hybrid static code analysis: analyze both source code and binary using six analysis engines such as control-flow and data-flow analysis, contextual analysis and intent-based analysis.
  • Supports vulnerability categories in OWASP Top 10, OWASP Mobile Top 10, PCI-DSS and SANS Top 25.
  • Automatically applies common security libraries and mitigation techniques to remediate vulnerabilities in source code.
  • Lucent Sky AVM is certified CWE-Compatible and integrates seamlessly with other developer and security tools.

Automatically remediates source code vulnerabilities

  • Instant Fixes are available for most common source code vulnerabilities, such as SQL injection, cross-site scripting and path traversal, and can be removed immediately after a scan.
  • For vulnerabilities that can't be automatically remediated, contextual suggestions are generated individually for each identified vulnerability.
  • Instant Fixes and contextual suggestions are generated using industry-standard security libraries such as ESAPI and WPL, or customized to use your own enterprise security libraries.

Code-based remediation

Most developers know how to prevent common vulnerabilities such as SQL injection, but struggle to actually remediate the thousands of vulnerabilities found in a large application.

Lucent Sky AVM works like a developer does to find and assess vulnerabilities and place "Instant Fixes" in code. It works just like a developer, but is capable of securing hundreds of vulnerabilities at a time.

  1. Choosing the mitigation mechanism
    Lucent Sky AVM follows industry standards and best practices to decide what mitigation mechanisms to use, and where should they be placed. Some vulnerabilities might have multiple mitigation mechanisms that are applicable, such as character-escaping and parameterized query for SQL injections. On the other hand, some vulnerabilities can be mitigated by applying the same mitigation mechanism at any of the applicable locations.

  2. Preventing impact on functionalities and vulnerabilities
    Lucent Sky AVM uses contextual and intent-based information to understand the functionalities the developer was trying to achieve when the vulnerability was created, determine if the applicable mitigation mechanisms and locations will cause impact on other functionalities and peer vulnerabilities. For example, if an user input is used to construct a SQL query and written to a log file, the log file will need to use the original value, while the SQL query will need to use the escaped value, or as a parameter.

  3. Reducing the number of changes with efficient mitigation
    Once applicable mitigation mechanisms are generated for each vulnerability, Lucent Sky AVM conducts an application-wide cross-check to determine the most efficient mitigation mechanism for each vulnerability, based on the potential impact on functionalities and performance. The most efficient mitigation mechanism is then used to generate Instant Fix.


What is an Instant Fix?

Each Instant Fix is generated to remediate a specific vulnerability (and those linked to it) while preserving functionalities and performance. Below are two examples of Instant Fixes:

// CWE-79: Cross-site Scripting
var body = sqlDataReader.GetString(2);
Posts.Text += @"<div style=""margin-left: 30px;"">" + LucentSky.Security.Application.Masker.MaskPrivateInformation(LucentSky.Security.Application.Encoder.HtmlEncode(Body)) + @"</div>";

// CWE-89: SQL Injection
var userName = UserName.Text;
var password = Password.Text;
sqlCommand = New SqlCommand(@"INSERT INTO [User] ([UserName], [Password]) VALUES (@lucentsky_userName, @lucentsky_password)", SqlConnection); sqlCommand.Parameters.AddWithValue("@lucentsky_userName", userName); sqlCommand.Parameters.AddWithValue("@lucentsky_password", password);
                
// CWE-79: Cross-site Scripting
String eid = request.getParameter("eid");
out.println("Employee ID: " + org.lucentsky.security.application.Encoder.htmlEncode(eid));

// CWE-89: SQL Injection
String userName = getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
PreparedStatement statement = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = ?"; statement.setString(1, itemName);
ResultSet rs = statement.executeQuery();
rs.close();
                

Accessible how you want it, where you need it

  • Deployment
    Lucent Sky AVM can be deployed in the cloud, in an on-premise server, or as a stand-alone appliance.
  • Accessibility
    Lucent Sky AVM works with the dev environment you already use. It's accessible through a web interface, inside IDEs, by ALMs, or by interfacing with its API or CLI.
  • Integration
    Lucent Sky AVM integrates with other application security and performance products, such as SAST and DAST, WAF and even APM.

Secure your code and see how it performs

In combination with New Relic APM, Lucent Sky AVM brings security and performance together - without you writing a single line of code.

Effortless setup

Once linked, applications in Lucent Sky AVM are automatically mapped to their counterparts in New Relic APM. Applications created in the future will also be mapped.

Seamless view

Switch from the security view in Lucent Sky AVM to the performance view in New Relic APM with just one click.

Deploy high-performance code that's also secure

Performance and security are no longer trade-offs. In most cases, applications secured by AVM perform as fast as their original, vulnerable counterparts. With New Relic APM, you can see the little (if any) performance impact in realtime.

Learn more about integrating New Relic APM with Lucent Sky AVM.


Leaders in efficiency and automation

Lucent Sky AVM is the only commercial solution in automatic application vulnerability mitigation. The technology was developed by industry veterans looking to automate common development practices as to add to their security and efficiency. Learn more about the ROI of Lucent Sky AVM.