ZeroNorth, the industry’s first provider of risk-based vulnerability orchestration for applications and infrastructure, announced a new solution for Rapid Application Security, enabling customers to quickly stand up software security initiatives by leveraging open source vulnerability discovery tools.
The solution is ideal for companies seeking to rapidly deploy new application scanning capabilities, while evaluating long-term deployments of commercial tools.
With the ZeroNorth solution for Rapid Application Security, customers can quickly enact new vulnerability scanning capabilities, while scoping requirements and plans for commercial deployments.
ZeroNorth’s solution provides effective means for initiating software and infrastructure scans, incorporating results into a coherent dashboard view for infrastructure and business application owners, as well as coordinating management and remediation processes.
The ZeroNorth solution provides open source options for exploring emerging areas of vulnerability testing—such as container security and cloud management—or augmenting those technologies not yet covered by commercial tools.
Specifically, the solution embeds open source products directly within the ZeroNorth platform, providing software composition analysis (SCA), static application security testing (SAST), dynamic application security testing (DAST), container security and cloud management.
“We see application security initiatives often slow down due to the time it takes a security team to evaluate, select and onboard commercial scanning tools,” said Dave Howell, vice president of marketing at ZeroNorth.
“With our new solution, we make it easier for organizations to begin implementing scan capabilities today, using open source, while planning for longer-term deployments of best-of-breed commercial products.”
ZeroNorth’s solution helps organizations mature existing tactical vulnerability discovery activities into a formalized security initiative through orchestrated risk management. Where organizations already use a few commercial scanning tools in some areas, the platform scales use across software and infrastructure portfolios.
“ZeroNorth’s solution for Rapid Application Security enables security groups to upgrade from a few vulnerability discovery activities, conducted on the riskiest business assets, to a security initiative based on orchestrated risk management that more comprehensively covers their application portfolio,” said John Steven, chief technology officer at ZeroNorth.
Potential use cases for the solution
New or maturing AppSec programs – Digital transformation means software is every business’s competitive differentiator; development teams must launch new and updated applications at increasingly faster pace.
However, security struggles to keep up. The ZeroNorth solution enables CIOs and CTOs to establish and accelerate security initiatives by leveraging a comprehensive set of scanning capabilities, across both developmental and operational phases of software’s lifecycle.
Supply chain security – Businesses of all sizes rely on third-party software, including SaaS platforms and OSS, to scale, compete and best serve customers. However, third-party software may introduce significant risk if vulnerabilities in those technologies have not been addressed.
The ZeroNorth solution provides visibility into supply chain and vendor security, balancing the need to leverage third-party software and providing vulnerability detection to manage risk.
Product security – Companies selling software, including the increasing number where software is a key component of their products, have a responsibility to ensure that attackers cannot exploit their product or compromise their customers.
The ZeroNorth solution provides product development and product security teams visibility necessary to proactively build security into – and actively manage risk in – deployed products.
Open source tools embedded into the ZeroNorth platform include OWASP Dependency Check (DepCheck) for software composition analysis (SCA); Bandit, Brakeman and SonarQube for static application security testing (SAST); Aqua, Clair and Docker Content Trust for container security; OWASP Zap for dynamic application security testing (DAST) of deployed web applications; and Prowler to identify misconfigured or otherwise vulnerable assets within cloud infrastructure.