Lucent Sky AVM: FAQ

Compatibility

Lucent Sky AVM is compatible with applications developed for .NET, ASP, Android, C/C++, Go, iOS, JDK, PHP, Python, Ruby, and Visual Basic. It also supports static websites and supplement files such as ECMAScript, SQL, and XML.

Lucent Sky AVM is compatible with applications developed in C# and VB.NET with .NET Framework 2.0 through 4.8, .NET Core 1.0 through 3.1, and .NET 5 through 7.

Lucent Sky AVM is compatible with applications developed with JDK versions 1.5 through 17.

Lucent Sky AVM is compatible with applications using PHP 4 through 8.

For C, C99 and C17 are supported. For C++, C++98 to C++20 are supported. While not on the supported list, you should be able to scan applications developed against older standards (such as C89 and C90) as well.

Lucent Sky AVM is compatible with applications using Python 2.0 through 3.9.

Lucent Sky AVM supports mobile apps developed for Android SDK (C#, ECMAScript, Java, Kotlin), iOS (C#, ECMAScript, Objective-C, Swift), and UWP (C#, VB.NET).

Deployment and integrations

Lucent Sky AVM can be deployed in three ways: on the cloud (Microsoft Azure, Rackspace or Amazon AWS), installed on a Windows server as software, or as a pre-configured appliance. You can find details about system requirements in the datasheet.

Updates to Lucent Sky AVM fall into two categories, Minor Releases and Servicing Updates. Minor Releases ship roughly every three to four months, and include new features (such as new identification algorithm, remediation algorithm or compiler), and support for new standards (such as new vulnerability categories, and new versions of frameworks and libraries). Servicing Updates ship between each Minor Releases as needed, and include fixes of product issues or other urgent updates. In addition, cloud-delivered intelligence provides real-time information to identify vulnerable software dependencies.

Lucent Sky AVM integrates with source control systems, such as Azure DevOps (TFS), CVS, Git, and SVN, through CLI or IDE plug-ins. Learn more about integrating Lucent Sky AVM with your CI or build server.

Lucent Sky AVM integrates with most CI servers and build servers through CLI or API. Learn more about integrating Lucent Sky AVM with your CI or build server.

Analysis

The time it takes to scan an application depends on the size and complexity of the application, as well as the capability of the system Lucent Sky AVM is running on. An application of one million lines of code can usually be scanned within 30 to 60 minutes.

If the application is made up of several smaller projects or modules (most large applications are), it is recommended to scan and secure the projects and modules in small groups or individually. Because Lucent Sky AVM uses hybrid analysis, project-by-project scanning has the same coverage and accuracy of scanning the entire application at once, but with much higher efficiency.

One of the largest applications scanned by Lucent Sky AVM has over five million lines of code. To enhance analysis and remediation efficiency, it is recommended to scan the projects that made up large applications one at a time, instead of scanning the entire application at once. This also reduces the amount of processing power and memory required.

Lucent Sky AVM has two scanning modes, Intelligent Scan and Comprehensive Scan. Intelligent Scan automatically detects the part of an application that need to be scanned. Comprehensive Scan scans all source code and libraries, while also giving the user the ability to specify what parts to be scanned by their namespaces and classes.

Because the contextual and intentional information Lucent Sky AVM uses to remediate vulnerabilities usually span across modules and classes, it is recommended to use Intelligent Analysis and let Lucent Sky AVM selects the scanning scope.

Third-part libraries, either in binary forms such as .dll or .jar files or in source code form, are scanned with binary and source code analysis along with the applicaiton for unknown vulnerabilities. In addition, libraries and other dependencies are also scanned with software composition analysis for known vulnerabilities. Instant Fixes and remediation suggestion are available for unknown vulnerabilities, and dependency update guidance are available for known vulnerabilities.

Lucent Sky AVM uses multi-stage hybrid analysis as the basis of its remediation algorithms. Data flow, control flow, contextual, and intent-based analysis identify not only the location of vulnerabilities, but their context as well. Through the use of intent-based analysis, when a vulnerability is identified, Lucent Sky AVM evaluates the risk brought by the vulnerability, and remove vulnerabilities with minimum risk. This allows Lucent Sky AVM to have a lower rate of false positives comparing to SAST tools. For those false positives that slipped through, users can use the suppress feature to prevent them from reappearing in future scans.

Vulnerability remediation

Lucent Sky AVM remediates vulnerabilities in the same ways developers do. It uses the built-in security features of a given technology stack to remediate vulnerabilities (for example, using parameterized queries to fix SQL injections in .NET and Java applications), as well as APL (Application Protection Library) when the built-in security feature is not available or insufficient for the vulnerability in question.

APL (Application Protection Library) is a security library developed by Lucent Sky. It is based on popular security libraries such as OWASP ESAPI and Microsoft WPL. Every Lucent Sky AVM Standard or Enterprise subscription comes with a perpetual license of the APL source code. Users can modify APL to better suit their applications, and continue using it should their Lucent Sky AVM subscription expires.

Lucent Sky AVM is capable of remediating most vulnerabilities caused by insecure implementation, such as injection flaws, XSS, and path manipulation. Instant Fixes are generated for these vulnerabilities and can be inserted into code to remediate vulnerabilities immediately. Vulnerabilities that were caused by insecure design, such as saving data to an insecure location or using an outdated encryption algorithm, cannot be automatically remediated because they require developers attention. Context-aware remediation suggestions are generated individually for each of these vulnerabilities to help developers understand and remediate these vulnerabilities.

Lucent Sky AVM's remediation algorithms are context and intention-aware, and have multiple fail-safe mechanisms to prevent changes that will impact the original logic or behavior of the vulnerable source code. However, any change of source code can potentially be "code-breaking". Therefore, applications secured by Lucent Sky AVM should go through the usual testing and QA processes, just as if a developer has made changes to the application.

Because the remediation is done within the source code, it has minimum impact on performance. Based on internal testing and user-reported metrics, in an application secured by Lucent Sky AVM, more than 99% of the requests were processed in the same time as in the original, vulnerable application. Although comparing Lucent Sky AVM with WAF or RASP solutions isn't really apple to apple, the performance impact of popular WAS or RASP solutions is around 18 times of the performance impact of Instant Fixes. You can find more information about performance impact in our blog post Lucent Sky works with New Relic to put offline security into runtime analytics.

Reporting

  • Interactive, cryptographically-signed HTML report with the ability to filter and search vulnerabilities
  • PDF report
  • Cryptographically-signed XML report
  • Direct database access via WCF API

Licensing

Lucent Sky AVM is licensed with both User Client Access License (User CAL) and Core License. Client Access License determines the number of users who can access a Lucent Sky AVM Server at the same time, while Core License determines the maximum number of processor cores can be used by a Lucent Sky AVM Server. To learn more about the license structure, refer to Lucent Sky AVM Server licensing overview.

All license of Lucent Sky AVM Standard Edition and Enterprise Edition allow for an unlimited number of scans within the scope of the license. Multiple simultaneous scans are allowed under a single license.

No. Applications secured by Lucent Sky AVM will function without any Lucent Sky license. It will continue to function should your license of Lucent Sky AVM expire.

Lucent Sky AVM licenses grant you the ability to scan applications in all the technology stacks and languages we support now or introduce through the duration of your subscription.

To accurately represent the size of an application, Lucent Sky AVM checks both the lines of code of the application, as well the size of the libraries used by it. Common 3rd-party libraries (such as Entity Framework and Spring MVC) do not count against the library size limit.

If your Lucent Sky AVM is licensed with a LOCe (lines of code equivalent) limit , you can either keep using the LOCe limit or convert it to a LOC + library size limit.

Each licensed user is able to access Lucent Sky AVM from multiple locations and interfaces (such as web UI, IDE plug-ins and CLI) simultaneously.

Lucent Sky AVM can only be used to scan applications directly owned or developed by the licensee. Scanning 3rd-party (including licensee's affiliates) applications is prohibited. If you are a service provider interested in using Lucent Sky AVM to provide services, or have other licensing questions, contact Lucent Sky support and a licensing engineer will get in touch with you.

Customization and maintenance

Yes. When creating an application or starting a scan, users have the option to enable or disable various Vectors (such as web request or database) and Rules (such as cross-site scripting or SQL injection) to change the types of vulnerabilities that will be identified. Advanced users can also fine tune Lucent Sky AVM's analysis behaviors by modifying its rule package, a set of XML files that dictate what constitutes a vulnerability. To learn more about how to customize rule packages, contact Lucent Sky support.

Yes. Out-of-box, Lucent Sky AVM remediate vulnerabilities following industry standards and best practices. Users can change the mitigation algorithms' behavior by modifying the rule package. For example, a user can specify that "for all privacy violation vulnerability from database in these .NET applications, use my company's standard DLP library to remediate them." To learn more about how to customize rule packages, contact Lucent Sky support.

Using Lucent Sky AVM with security testing solutions

SAST tools are commonly used by security teams, and focus on vulnerability discovery and gatekeeping to ensure the security level of released applications. Lucent Sky AVM is mostly used within development teams, and focuses on vulnerability remediation to increase the efficiency of SDLC. Many organizations choose to use Lucent Sky AVM in combination with their existing SAST tool — automating the vulnerability remediation early in the SDLC to greatly reduce the number of vulnerabilities found by SAST before releasing applications.

It depends. Many organizations conduct security testing near the end of a product development lifecycle or after the application has already been released. In such cases, Lucent Sky AVM will be used before testing to enable developers to greatly reduce the number of vulnerabilities in their source code prior to security testing, and the back-and-forth of the application source code between development team and security team.

For applications that are already released and security testing has found vulnerabilities that need to be removed, Lucent Sky AVM is deployed at the stage when traditionally a person would manually remediate the vulnerabilities. Lucent Sky AVM scans the source code and generate a secured application that can be tested and re-released.

Lucent Sky AVM can be configured to remediate vulnerabilities identified by certain SAST tools, such as Checkmarx CxSAST, Fortify SCA, and Klocwork. To learn more about using Lucent Sky AVM to accelerate the remediation of vulnerabilities found by your SAST tool, let us know and one of our team members will get in touch with you.
Try Lucent Sky AVM