Compatibility

Lucent Sky AVM is compatible with applications developed for .NET, Android, ASP, C/C++, iOS, JDK and PHP.
We're currently working on support for Python and Ruby. If you would like to beta-test them, or want to know more details about a specific technology stack, let us know!
Lucent Sky AVM is compatible with applications built in C# and VB.NET with .NET Framework 2.0 through 4.6.
Lucent Sky AVM is compatible with applications built with JDK versions 1.4 through 8.
Lucent Sky AVM is compatible with applications using PHP 4.0 through 5.6. Support for PHP 7.0 is scheduled for Q1'2016.
For C, C99 and C11 are supported. For C++, C++98 to C++14 are supported. While not on the supported list, you should be able to scan applications developed against older standards (such as C89 and C90) as well.

Deployment and integrations

Lucent Sky AVM can be deployed in three ways: on the cloud (Microsoft Azure or Amazon AWS), as software to be installed in your environment, or shipped as hardware with everything pre-configured. You can find details about system requirements in the datasheet.
Lucent Sky AVM integrates with source control systems (such as Visual Studio Online, TFS, SVN, CVS, Git) through CLI or IDE plug-ins. Deep integration, in which the source control system and Lucent Sky AVM communicate directly without the use of CLI, is planned for Visual Studio Online and TFS. Learn more about integrating Lucent Sky AVM with your CI or build server.
Lucent Sky AVM integrates with most CI servers and build servers through the CLI or APIs. Learn more about integrating Lucent Sky AVM with your CI or build server.

Analysis

The time it takes to scan an application depends on the size and complexity of the application, as well as the capability of the system Lucent Sky AVM is running on. An application of 1M lines of code can usually be scanned within 1 to 2 hours.
If the application is made up of several smaller projects or modules (most large applications are), it is recommended to scan and secure the projects and modules in small groups or individually. Because Lucent Sky AVM uses hybrid analysis, project-by-project scanning has the same coverage and accuracy of scanning the entire application at once, but with much higher efficiency.

For a large web applications that is made up of thousands of ASPX, JSP or PHP files, it is recommended to group these files into several smaller groups, along with the libraries they reference, and scan these groups individually.
The largest application Lucent Sky has scanned has over 3.5 million lines of code. To enhance scanning and mitigation efficiency, we recommend scanning the projects that make up large applications one at a time, instead of scanning the entire application at once. This also reduces complications related to processing power and memory.
No. Lucent Sky AVM's mitigation algorithms rely on contextual and intentional information to accurately remediate vulnerabilities, and these information might change even if only a small portion of code was changed. Also, Lucent Sky AVM is capable of scanning most applications within a few hours, making the primary benefit of partial scan unnecessary.
Third-part libraries such as referenced DLL or JAR files will be scanned, and vulnerabilities in those libraries can be identified if they were used by the application. Since Lucent Sky AVM does not have access to the source code of those libraries, their vulnerabilities cannot be directly mitigated. In most cases however, Lucent Sky AVM's mitigation algorithms will mitigate these vulnerabilities by modifying the source code that uses them.
Lucent Sky AVM uses multi-stage hybrid analysis as the basis of its mitigation algorithms. Six different analysis engines focus on data flow, control flow, contextual and intent-based information to identify not only the location of vulnerabilities, but their context as well. A nice "side effect" of multi-stage hybrid analysis is that it allows Lucent Sky AVM to have a low rate of false positives compared to SAST solutions. In other words, SAST solutions may find "vulnerabilities" that Lucent Sky AVM does not. That said, Lucent Sky AVM still may produce false positives. In the vast majority of such cases, mitigating a vulnerability that is not an actual vulnerability does not impact the behavior of the application. But similar to manual mitigation, all code mitigated with Lucent Sky AVM should go through typical testing and QA processes.

Mitigation

Lucent Sky AVM mitigates vulnerabilities in the same ways developers do. It uses the built-in security features of a given technology stack to mitigate vulnerabilities (for example, using parameterized queries to mitigate SQL injections in .NET and Java applications), as well as APL (Application Protection Library) when the built-in security feature is not available or insufficient for the vulnerability in question.
APL (Application Protection Library) is an open source security library developed by Lucent Sky. It is based on popular security libraries such as OWSAP ESAPI and Microsoft WPL. As APL is open source, users can customize and enhance APL to suit their applications better.
Lucent Sky AVM's mitigation algorithms are context and intention-aware, and have multiple fail-safe mechanisms to prevent changes that will impact the original logic or behavior of the vulnerable source code. However, any change of source code can potentially be "code-breaking". Therefore, applications secured by Lucent Sky AVM should go through the usual testing and QA processes, just as if a developer has made changes to the application.
Because the mitigation is done within the source code, it has minimum impact on performance. Based on internal testing and user-reported metrics, in an application secured by Lucent Sky AVM, more than 99% of the requests were processed in the same time as in the original, vulnerable application. Although comparing Lucent Sky AVM with WAF or RASP solutions isn't really apple to apple, the performance impact of popular WAS or RASP solutions is around 18 times of the performance impact of Instant Fixes. You can find more information about performance impact in our blog post Lucent Sky works with New Relic to put offline security into runtime analytics.

Reporting

  • Interactive HTML report (vulnerability details and Instant Fixes), with the ability to filter and search vulnerabilities
  • PDF report (vulnerability details and Instant Fixes)
  • XML report (vulnerability details, Instant Fixes and additional technical details) for easier integration
  • Direct database access via WCF API

Licensing

Lucent Sky AVM Server is licensed with both User Client Access License (User CAL) and Core License. Client Access License determines the number of users who can access a Lucent Sky AVM Server at the same time, while Core License determines the maximum number of processor cores can be used by a Lucent Sky AVM Server. To learn more about the license structure, refer to Lucent Sky AVM Server licensing overview.
All license of Lucent Sky AVM Standard Edition and Enterprise Edition allow for an unlimited number of scans for the duration of the license. Multiple simultaneous scans are allowed under a single license.
No. Once a scan has been completed, no license is needed to download the mitigated source code or report.
No. Mitigated source code will function without any Lucent Sky license. It will continue to function should your license to Lucent Sky AVM expire.
Lucent Sky AVM licenses grant you the ability to scan applications in all the technology stacks and languages we support now or introduce through the duration of your subscription.
The maximum application size is determined by two factors - the maximum application size on your license, and the capability of the system Lucent Sky AVM is running on. If an application exceeds the LOC restriction associated with your license, the scan will not start and the user will be notified of the associated error. To enhance scanning and mitigation efficiency, we recommend scanning the projects that make up large applications one at a time, instead of scanning the entire application at once. This also reduces complications related to processing power and memory.
To accurately represent the size of an application, Lucent Sky AVM checks both the lines of code of the application, as well the size of the libraries used by it. Common 3rd-party libraries (such as Entity Framework and Spring MVC) do not count against the library size limit.

If your Lucent Sky AVM is licensed with a LOCe (lines of code equivalent) limit , you can either keep using the LOCe limit or convert it to a LOC + library size limit.
Each licensed user is able to access Lucent Sky AVM from multiple locations and interfaces (such as web UI, IDE plug-ins and CLI) simultaneously.
Lucent Sky AVM can only be used to scan applications directly owned or developed by the licensee. Scanning 3rd-party (including licensee's affiliates) applications is prohibited. If you are a service provider interested in using Lucent Sky AVM, or have other licensing questions, contact Lucent Sky support and a licensing engineer will get in touch with you.

Customization and maintenance

Yes. When creating an application or starting a scan, users have the option to enable or disable various Vectors (such as web request or database) and Rules (such as cross-site scripting or SQL injection) to change the types of vulnerabilities that will be identified. Advanced users can also fine tune Lucent Sky AVM's analysis behaviors by modifying its rule package, a set of XML files that dictate what constitutes a vulnerability. To learn more about how to customize rule packages, contact Lucent Sky support.
Yes. Out-of-box, Lucent Sky AVM mitigates vulnerabilities following industry standards and best practices. Users can change the mitigation algorithms' behavior by modifying the rule package. For example, a user can specify that "for all privacy violation vulnerability from database in these .NET applications, use my company's standard DLP library to mitigate them". To learn more about how to customize rule packages, contact Lucent Sky support.
Two major upgrades are scheduled each year, which focuses on new features such as new generation of identification and mitigation engines and support for new technology stacks. Between the major upgrades, smaller updates are released each month. These updates include product enhancements such as improved identification and mitigation algorithms, compiler updates, support for new vulnerability categories new frameworks and libraries.

Using Lucent Sky AVM with security testing solutions

SAST solutions are commonly used by security teams, and focus on vulnerability discovery and gatekeeping to ensure the security level of released applications. Lucent Sky AVM is mostly used within development teams, and focuses on vulnerability mitigation to increase the efficiency of SDLC. In most cases, Lucent Sky AVM is used in combination of SAST and DAST, but earlier in the SDLC to automate the fixing of many types of application vulnerability.
It depends. Many organizations conduct security testing near the end of a product development lifecycle or after the application has already been released. In such cases, Lucent Sky AVM will be used before testing to enable developers to greatly reduce the number of vulnerabilities in their source code prior to security testing, and the back-and-forth of the application source code between development team and security team.

For applications that are already released and security testing has found vulnerabilities that an organization needs to remediate, Lucent Sky AVM is deployed at the stage when traditionally a person would manually remediate the vulnerabilities. Lucent Sky AVM rescans the source code and offers vulnerability mitigations that can be instantly deployed. The application is sent to testing and re-released.
For most vulnerabilities found by SAST tools, Lucent Sky AVM can be used to fix them. Most SAST tools were designed to be used by security professionals - they were calibrated to find large number of results, then relying on security experts to fine-tune it to weed out false positives. Lucent Sky AVM was designed to find vulnerabilities that will cause real impact on the application's security, and only fix what can be fixed with confidence, based on settings set by you as well as your development and security teams. Learn more about how Lucent Sky AVM can help you move beyond manual remediation for vulnerabilities found by SAST tools like Fortify SCA.