Compatibility

Lucent Sky AVM is compatible with applications developed for .NET, Android, ASP, C/C++, iOS, JDK and PHP.
Python and Ruby are on our product roadmap, but we don't have a specific timeline. If you would like to beta-test them, or want to know more details about a specific technology stack, let us know!
Lucent Sky AVM is compatible with applications developed in C# and VB.NET with .NET Framework 2.0 through 4.6.
Lucent Sky AVM is compatible with applications developed with JDK versions 1.4 through 8.
Lucent Sky AVM is compatible with applications using PHP 4.0 through 5.6. Support for PHP 7.0 is in private beta.
For C, C99 and C11 are supported. For C++, C++98 to C++14 are supported. While not on the supported list, you should be able to scan applications developed against older standards (such as C89 and C90) as well.
Lucent Sky AVM supports mobile apps developed for Android SDK (Java), iOS (Objective-C, Swift), UWP (C#, VB.NET) and Xamarin (C#).

Deployment and integrations

Lucent Sky AVM can be deployed in three ways: on the cloud (Microsoft Azure, Rackspace or Amazon AWS), installed on a Windows server as software, or as a pre-configured appliance. You can find details about system requirements in the datasheet.
Lucent Sky AVM integrates with source control systems (such as Visual Studio Online, TFS, SVN, CVS, Git) through CLI or IDE plug-ins. Learn more about integrating Lucent Sky AVM with your CI or build server.
Lucent Sky AVM integrates with most CI servers and build servers through CLI or API. Learn more about integrating Lucent Sky AVM with your CI or build server.

Analysis

The time it takes to scan an application depends on the size and complexity of the application, as well as the capability of the system Lucent Sky AVM is running on. An application of 1 million lines of code can usually be scanned within 1 to 2 hours.
If the application is made up of several smaller projects or modules (most large applications are), it is recommended to scan and secure the projects and modules in small groups or individually. Because Lucent Sky AVM uses hybrid analysis, project-by-project scanning has the same coverage and accuracy of scanning the entire application at once, but with much higher efficiency.
One of the largest applications scanned by Lucent Sky AVM has over 3.5 million lines of code. To enhance analysis and remediation efficiency, it is recommended to scan the projects that made up large applications one at a time, instead of scanning the entire application at once. This also reduces the amount of processing power and memory required.
Lucent Sky AVM has two scanning modes, Intelligent Scan and Comprehensive Scan. Intelligent Scan automatically detects the part of an application that need to be scanned. Comprehensive Scan scans all source code and libraries, while also giving the user the ability to specify what parts to be scanned by their namespaces and classes.

Because the contextual and intentional information Lucent Sky AVM uses to remediate vulnerabilities usually span across modules and classes, it is recommended to use Intelligent Analysis and let Lucent Sky AVM selects the scanning scope.
Third-part libraries such as referenced DLL or JAR files will be scanned, and vulnerabilities in those libraries can be identified if they were used by the application. Since Lucent Sky AVM does not have access to the source code of those libraries, their vulnerabilities cannot be directly mitigated. In most cases, however, Lucent Sky AVM can mitigate their impact by modifying the source code that uses them.
Lucent Sky AVM uses multi-stage hybrid analysis as the basis of its mitigation algorithms. Data flow, control flow, contextual and intent-based analysis identify not only the location of vulnerabilities, but their context as well. Through the use of intent-based analysis, when a vulnerability is identified, Lucent Sky AVM evaluates the risk brought by the vulnerability, and remove vulnerabilities with minimum risk. This allows Lucent Sky AVM to have a lower rate of false positives comparing to SAST tools. For those false positives that slipped through, users can use the suppress feature to prevent them from reappearing in future scans.

Vulnerability remediation

Lucent Sky AVM remediates vulnerabilities in the same ways developers do. It uses the built-in security features of a given technology stack to remediate vulnerabilities (for example, using parameterized queries to fix SQL injections in .NET and Java applications), as well as APL (Application Protection Library) when the built-in security feature is not available or insufficient for the vulnerability in question.
APL (Application Protection Library) is a security library developed by Lucent Sky. It is based on popular security libraries such as OWASP ESAPI and Microsoft WPL. Every Lucent Sky AVM Standard or Enterprise subscription comes with a perpetual license of the APL source code. Users can modify APL to better suit their applications, and continue using it should their Lucent Sky AVM subscription expires.
Lucent Sky AVM is capable of remediating most if not all vulnerabilities that were caused by insecure implementation, such as injection flaws, XSS and path manipulation. Vulnerabilities that were caused by insecure design, such as saving data to an insecure location or using an outdated encryption algorithms, cannot be automatically remediated because they require developers attention.
Instant Fixes are capable of remediating most (if not all) vulnerabilities resulted from insecure implementation, such as injection flaws and XSS. Support on Instant Fixes are included in Lucent Sky AVM technical support - no additional service contract is required.

For vulnerabilities that do not have Instant Fixes, such as those caused by insecure design or those not related to source code, consulting service is available from Lucent Sky or its partner. In addition, Lucent Sky AVM provides up-to-date information rendered by industry organizations such as CWE and OWASP, which might be helpful in some scenarios.

Reporting

  • Interactive HTML report (vulnerability details and Instant Fixes), with the ability to filter and search vulnerabilities
  • PDF report (vulnerability details and Instant Fixes)
  • XML report (vulnerability details, Instant Fixes and additional technical details) for easier integration
  • Direct database access via WCF API

Licensing

Lucent Sky AVM is licensed with both User Client Access License (User CAL) and Core License. Client Access License determines the number of users who can access a Lucent Sky AVM Server at the same time, while Core License determines the maximum number of processor cores can be used by a Lucent Sky AVM Server. To learn more about the license structure, refer to Lucent Sky AVM Server licensing overview.
All license of Lucent Sky AVM Standard Edition and Enterprise Edition allow for an unlimited number of scans for the duration of the license. Multiple simultaneous scans are allowed under a single license.
No. Once a scan has been completed, no license is needed to download the mitigated source code or report.
No. Mitigated applications will function without any Lucent Sky license. It will continue to function should your license of Lucent Sky AVM expire.
Lucent Sky AVM licenses grant you the ability to scan applications in all the technology stacks and languages we support now or introduce through the duration of your subscription.
To accurately represent the size of an application, Lucent Sky AVM checks both the lines of code of the application, as well the size of the libraries used by it. Common 3rd-party libraries (such as Entity Framework and Spring MVC) do not count against the library size limit.

If your Lucent Sky AVM is licensed with a LOCe (lines of code equivalent) limit , you can either keep using the LOCe limit or convert it to a LOC + library size limit.
Each licensed user is able to access Lucent Sky AVM from multiple locations and interfaces (such as web UI, IDE plug-ins and CLI) simultaneously.
Lucent Sky AVM can only be used to scan applications directly owned or developed by the licensee. Scanning 3rd-party (including licensee's affiliates) applications is prohibited. If you are a service provider interested in using Lucent Sky AVM to provide services, or have other licensing questions, contact Lucent Sky support and a licensing engineer will get in touch with you.

Customization and maintenance

Yes. When creating an application or starting a scan, users have the option to enable or disable various Vectors (such as web request or database) and Rules (such as cross-site scripting or SQL injection) to change the types of vulnerabilities that will be identified. Advanced users can also fine tune Lucent Sky AVM's analysis behaviors by modifying its rule package, a set of XML files that dictate what constitutes a vulnerability. To learn more about how to customize rule packages, contact Lucent Sky support.
Yes. Out-of-box, Lucent Sky AVM mitigates vulnerabilities following industry standards and best practices. Users can change the mitigation algorithms' behavior by modifying the rule package. For example, a user can specify that "for all privacy violation vulnerability from database in these .NET applications, use my company's standard DLP library to remediate them." To learn more about how to customize rule packages, contact Lucent Sky support.
Two major upgrades are scheduled each year, which focuses on new features such as new generation of identification and mitigation engines and support for new technology stacks. Between the major upgrades, smaller updates are released each month. These updates include product enhancements such as improved identification and mitigation algorithms, compiler updates, support for new vulnerability categories, and new versions of frameworks and libraries.

Using Lucent Sky AVM with security testing solutions

SAST tools are commonly used by security teams, and focus on vulnerability discovery and gatekeeping to ensure the security level of released applications. Lucent Sky AVM is mostly used within development teams, and focuses on vulnerability remediation to increase the efficiency of SDLC. Many organizations choose to use Lucent Sky AVM in combination with their existing SAST tool - automating the vulnerability remediation early in the SDLC to greatly reduce the number of vulnerabilities found by SAST before releasing applications.
It depends. Many organizations conduct security testing near the end of a product development lifecycle or after the application has already been released. In such cases, Lucent Sky AVM will be used before testing to enable developers to greatly reduce the number of vulnerabilities in their source code prior to security testing, and the back-and-forth of the application source code between development team and security team.

For applications that are already released and security testing has found vulnerabilities that need to be removed, Lucent Sky AVM is deployed at the stage when traditionally a person would manually remediate the vulnerabilities. Lucent Sky AVM scans the source code and generate a secured application that can be tested and re-released.
Lucent Sky AVM relies on its hybrid analyzer and contextual analyzer to accurately remediate vulnerabilities, so it cannot directly remediate vulnerabilities from SAST reports.

However, users can scan and mitigate the vulnerable application in Lucent Sky AVM, then scan it again using the existing SAST tool to verify the mitigation. For most vulnerabilities found by SAST tools, Lucent Sky AVM can be used to fix them. Learn more about how Lucent Sky AVM can help you move beyond manual remediation for vulnerabilities found by SAST tools.