When vulnerabilities are identified, Lucent Sky AVM also extracts intent - contextual information about what the developer intended to achieve when the vulnerabilities were introduced. The remediation algorithms then generate "Instant Fixes", secure code segments that directly replace vulnerable code while keeping its intent. When an Instant Fix could not be generated for a particular vulnerability, Lucent Sky AVM generates Guided Fix, remediation guidance that is contextually relevant, to help developers remediate the vulnerability effectively. For vulnerable software components, Lucent Sky AVM generates Guided Update to help developers update them to a secure version.

Instant Fixes are generated in three steps: understanding the intent of the vulnerable code and code that interacts with it, identifying a remediation mechanism based on best practices and security standards, and locating an ideal location in the codebase for the remediation so that the vulnerability can be remediated while maintaining the intent of the changed code and code that interacts with it. All Instant Fixes of a scan are then generated in a single process to ensure their consistency and reliability.

Lucent Sky AVM's remediation algorithms are context and intention-aware so Instant Fixes are generated in a way that maintain the functionality of the original code. Additionally, a separate algorithm independently verifies the Instant Fixes after they are generated to ensure their security and functionality. However, any change of source code can potentially be "code-breaking". Therefore, applications secured by Lucent Sky AVM should go through the usual testing and QA processes, just as if a developer has made changes to the application.

Because the remediation is done within the source code, it has minimum impact on performance. Based on internal testing and user-reported metrics, more than 99% of the requests are processed in the same time by applications secured by Lucent Sky AVM when compared with their vulnerable counterparts. Although comparing Lucent Sky AVM with WAF or RASP solutions isn't really apple to apple, the performance impact of popular WAS or RASP solutions is around 18 times of the performance impact of Instant Fixes. You can learn more about performance impact in our blog post, Lucent Sky works with New Relic to put offline security into runtime analytics.

While both Instant Fixes and generative AI–based “code fixes” are produced by intelligent algorithms, they differ significantly in methodology, reliability, and practical applicability.

Methodology - Instant Fixes are generated using deterministic remediation algorithms. These algorithms understand the context and intent of the original source code and apply security best practices curated by security experts to remediate vulnerabilities. In contrast, generative AI–based code fixes are produced by large language models using probabilistic prediction. The resulting code reflects patterns most likely to appear in the model’s training data—not necessarily what is secure or correct for the given context.

Reliability - The algorithms behind Instant Fixes are designed for consistency and repeatability—the same code, when scanned, will always produce the same vulnerability identification and the same Instant Fix. Each Instant Fix is also independently verified to ensure it remediates the vulnerability, does not introduce new issues, and preserves the original functionality. Large language models, however, can “hallucinate,” producing changes that inadvertently alter functionality, fail to fix the vulnerability, or introduce new ones. Independent studies have shown that around 45% of code created by generative AI contains OWASP Top 10 vulnerabilities, and about 66% of generative AI “code fixes” either fail to remediate the vulnerability or create additional ones.

Applicability - Lucent Sky AVM is designed to integrate seamlessly into the SDLC and can be used in fully automated workflows. Instant Fixes behave just like code written and committed by human developers. Generative AI–based code fixes, on the other hand, require careful review and often modification by experienced developers, may leak sensitive data or introduce copyright concerns, and therefore are best suited as developer aids—not as trusted components of the SDLC.

The time it takes to scan an application depends on the size and complexity of the application, as well as the capability of the system Lucent Sky AVM is running on. An application of one million lines of code can usually be scanned within 30 minutes. If an earlier version of the application has been scanned before, Lucent Sky AVM also intelligently selects the part of the application that requires re-analysis to further speed up analysis.

If the application is made up of several smaller projects or modules (most large applications are), it is recommended to scan and secure the projects and modules in small groups or individually. Because Lucent Sky AVM uses hybrid analysis, project-by-project scanning has the same coverage and accuracy of scanning the entire application at once, but with much higher efficiency.

One of the largest applications scanned by Lucent Sky AVM has over 18 million lines of code. To enhance analysis and remediation efficiency, it is recommended to scan the projects that made up large applications one at a time, instead of scanning the entire application at once. This also reduces the amount of processing power and memory required.

Lucent Sky AVM has two scanning modes, Intelligent Analysis and Comprehensive Analysis. Intelligent Analysis automatically detects the part of an application that need to be scanned. Comprehensive Analysis scans all source code and libraries, while also giving users the ability to specify what parts of the application to be scanned.

Because the contextual and intentional information Lucent Sky AVM uses to remediate vulnerabilities usually span across modules and classes, it is recommended to use Intelligent Analysis and let Lucent Sky AVM selects the scanning scope.

Third-part libraries, either in binary forms such as .dll or .jar files or in source code form, are scanned with binary and source code analysis along with the applicaiton for unknown vulnerabilities. In addition, libraries and other dependencies are also scanned with software composition analysis for known vulnerabilities. Instant Fixes and remediation suggestion are available for unknown vulnerabilities, and dependency update guidance are available for known vulnerabilities.

Lucent Sky AVM uses multi-stage hybrid analysis as the basis of its remediation algorithms. Data flow, control flow, contextual, and intent-based analysis identify not only the location of vulnerabilities, but their context as well. Through the use of intent-based analysis, when a vulnerability is identified, Lucent Sky AVM evaluates the risk brought by the vulnerability, and remove vulnerabilities with minimum risk. This allows Lucent Sky AVM to have a lower rate of false positives comparing to SAST tools. For those false positives that slipped through, users can use the suppress feature to prevent them from reappearing in future scans.

• Interactive, digitally signed HTML report with the ability to filter and search vulnerabilities
• PDF report
• Digitally signed XML report
• Standard formats such as CycloneDX, SARIF, and SPDX
• Direct database access via API

Lucent Sky AVM is available as managed, scalable cloud instances or as self-hosted deployments in customer cloud environments or on-premises. You can find deployment details in the Lucent Sky AVM Datasheet.

Updates to Lucent Sky AVM fall into two categories, Minor Releases and Servicing Updates. Minor Releases ship roughly every three to four months, and include new features (such as new identification algorithm, remediation algorithm or compiler), and support for new standards (such as new vulnerability categories, and new versions of frameworks and libraries). Servicing Updates ship between each Minor Releases as needed, and include fixes of product issues or other urgent updates. In addition, cloud-delivered intelligence provides real-time information to identify vulnerable software dependencies.

Lucent Sky AVM integrates with source control systems, such as Azure DevOps (TFS), CVS, Git, and SVN, through CLI or IDE plug-ins. Learn more about integrating Lucent Sky AVM with your CI or build server.

Lucent Sky AVM integrates with most CI servers and build servers through CLI or API. Learn more about integrating Lucent Sky AVM with your CI or build server.

Lucent Sky AVM is compatible with applications developed for .NET, ASP, Android, C/C++, Go, iOS, Java, Lua, PHP, Python, Ruby, Rust, and Visual Basic. Lucent Sky AVM also supports cross-framework languages such as Bash, CFML, CFScript, CSS, Dart, ECMAScript (including ActionScript, JavaScript, and TypeScript), HTML, PowerShell, and SQL, and data interchange and configuration languages such as Bicep, HCL, JSON, XML, and YAML. Lucent Sky AVM instances with specific add-on licenses also support domain-specific languages, such as ABAP, Apex, COBOL, EGL, and SQR. To learn more about the application frameworks and languages supported by Lucent Sky AVM, visit Application frameworks and languages supported by Lucent Sky AVM on Lucent Sky Docs.

Lucent Sky AVM is licensed with both User Client Access License (User CAL) and Core License. Client Access License determines the number of users who can access a Lucent Sky AVM Server at the same time, while Core License determines the maximum number of processor cores can be used by a Lucent Sky AVM Server. To learn more about the license structure, visit Lucent Sky AVM licensing overview on Lucent Sky Docs.

All license of Lucent Sky AVM Standard Edition and Enterprise Edition allow for an unlimited number of scans within the scope of the license. Multiple simultaneous scans are allowed under a single license.

No. Applications secured by Lucent Sky AVM will function without any Lucent Sky license. It will continue to function should your licenses of Lucent Sky AVM expire.

Lucent Sky AVM licenses grant you the ability to scan applications in all the technology stacks and languages we support now or introduce through the duration of your subscription.

To accurately represent the size of an application, Lucent Sky AVM checks both the lines of code of the application, as well the size of the libraries used by it. Common 3rd-party libraries (such as Entity Framework and Spring MVC) do not count against the library size limit.

If your Lucent Sky AVM is licensed with a LOCe (lines of code equivalent) limit , you can either keep using the LOCe limit or convert it to a LOC + library size limit.

Each licensed user is able to access Lucent Sky AVM from multiple locations and interfaces (such as web UI, IDE plug-ins and CLI) simultaneously.

Lucent Sky AVM can only be used to scan applications directly owned or developed by the licensee. Scanning 3rd-party (including licensee's affiliates) applications is prohibited. If you are a service provider interested in using Lucent Sky AVM to provide services, or have other licensing questions, contact Lucent Sky support and a licensing engineer will get in touch with you.

Yes. When creating an application or starting a scan, users have the option to enable or disable various Vectors (such as web request or database) and Rules (such as cross-site scripting or SQL injection) to change the types of vulnerabilities that will be identified. Advanced users can also fine tune Lucent Sky AVM's analysis behaviors by modifying its rule package, a set of XML files that dictate what constitutes a vulnerability. To learn more about how to customize rule packages, contact Lucent Sky support.

Yes. Out-of-box, Lucent Sky AVM remediate vulnerabilities following industry standards and best practices. Users can change the mitigation algorithms' behavior by modifying the rule package. For example, a user can specify that "for all privacy violation vulnerability from database in these .NET applications, use my company's standard DLP library to remediate them." To learn more about how to customize rule packages, contact Lucent Sky support.

SAST tools are commonly used by security teams, and focus on vulnerability discovery and gatekeeping to ensure the security level of released applications. Lucent Sky AVM is mostly used within development teams, and focuses on vulnerability remediation to increase the efficiency of SDLC. Some organizations use Lucent Sky AVM in combination with their existing SAST tool — automating the vulnerability remediation early in the SDLC to greatly reduce the number of vulnerabilities found by SAST before releasing applications.

It depends. Many organizations conduct security testing near the end of a product development lifecycle or after the application has already been released. In such cases, Lucent Sky AVM will be used before testing to enable developers to greatly reduce the number of vulnerabilities in their source code prior to security testing, and the back-and-forth of the application source code between development team and security team.

For applications that are already released and security testing has found vulnerabilities that need to be removed, Lucent Sky AVM is deployed at the stage when traditionally a person would manually remediate the vulnerabilities. Lucent Sky AVM scans the source code and generate a secured application that can be tested and re-released.

Lucent Sky AVM can be configured to remediate vulnerabilities identified by certain SAST tools, such as Checkmarx CxSAST, Fortify SCA, and Klocwork. To learn more about using Lucent Sky AVM to accelerate the remediation of vulnerabilities found by your SAST tool, let us know and one of our team members will get in touch with you.