Seeker

Coverity Code Advisor On Demand

“With increased accuracy, Seeker determines whether a vulnerability is exploitable and where in the code it is located, without the need to access to source code to conduct its analysis… The only existing alternative to this technology is manual penetration testing – a highly expensive and nonscalable approach”

Joseph Feiman, GARTNER

Seeker is a pioneering Interactive Application Security Testing (IAST) solution which enables organizations to efficiently produce secure software.

Seeker uses a unique approach, analyzing code and data flows at runtime to better understand vulnerability context, providing highly accurate vulnerability detection during the coding and testing process.

Seeker improves visibility into risk by presenting vulnerabilities in the context of business impact and exploitability. Every potential vulnerability detected by Seeker is automatically verified to be exploitable—ensuring that you don’t waste time investigating a “problem” that will never happen. When Seeker reports a problem, you know that it is exploitable and you understand the impact with no need for human intervention.

Seeker provides a clear view of the security status of applications according to compliance criteria and provides everything needed to secure code and improve security awareness.

Contact us

Benefits

“In the age of Advanced Persistent Threats it is not sufficient to analyze vulnerabilities separately. Each vulnerability must be viewed as part of a larger threat context, as it would be by an attacker targeting the application”

Ofer Maor – Director of Security Strategy at Synopsys 

Identify Real Business Security Risks

Seeker conducts runtime analysis of both code and data, to better understand vulnerability context and impact. Seeker automatically verifies findings by exploiting them in order to classify their risks. The result is the identification of critical and complex vulnerabilities and logical flaws not detectable with any other technology Seeker is data-centric. It automatically maps user data and data flows in the application and then uses this information to identify security vulnerabilities that pose a risk to data. This enables you to, for example, prioritize threats based on whether it is possible to steal sensitive data from the users table, or to retrieve credit card numbers in plaintext. By focusing on what hackers are after, Seeker is able to establish the severity of each vulnerability and suggest a remediation plan based on the real threat.

Get Context-based Solutions to Secure the Application

Stakeholders know exactly what risks exist for each build and release, enabling them to make appropriate decisions. Developers stay on course by focusing their time on fixing proven vulnerabilities that pose an immediate threat to the business.

  • Exploits created by Seeker are accompanied by videos showing the actual attack on the tested application.
  • Detailed results include the vulnerable source code for each vulnerability as well as a visual explanation including all the information required to understand the vulnerability’s risk.
  • Specific, context-sensitive remediation advice allows developers to immediately fix vulnerabilities without security expertise.
  • Remediation instructions include a simple explanation of the fix as well as a secure code example in the relevant programming language.

Automate Security into the Development Lifecycle

Seeker test cycles are short and can be included as part of an automated development process.

  1. Integrate with automatic testing frameworks like Selenium to automatically build an attack scenario.
  2. Can launch from the build server alongside automated functional testing.
  3. Delivers results in formats already used for bug reporting such as ticketing systems.

By integrating into the developer workflow, Seeker creates a culture of strong security automation.

  • Stakeholders know exactly what risks exist in each build and release, improving decision-making.
  • Developers address the highest-priority exploitable vulnerabilities first, ensuring resources are not wasted on false positives and “don’t care” reports.
  • Seeker requires no additional manpower, and can be used without security expertise.

Seeker brings simplicity into the SDLC by delivering immediate results and integrating into any development methodology.

Enterprise

Security Management Dashboards

It’s all about the global threat landscape. Don’t just look at one application, or one module to understand the risks to your organization. Seeker allows centralized management of your application security testing – see application security testing results in one place.

Cross-organizational Security Status Reporting

Seeker Enterprise comes with a central server that stores and manages information of all projects and tests in the organization. This allows managers and administrators to see the current status of any project, as well as the security progress over time of an application in development.

Seeker Enterprise dashboards and reports allow executives and managers to continuously monitor their overall organizational application security level.

Screenshot

The Seeker dashboard consolidates test results to give an overview of cross-organizational security status, including:

  • Overview of security risk level of each application in the organization.
  • Vulnerability trends over a specific period of time.
  • Which applications have the least vulnerabilities and which systems or applications require attention due to risks they pose to the organization.

 

Team & Projects Performance

Managers can assess security performance by project or development group , gaining insight into vulnerability distributions and areas where more attention or training is needed.

team-and-projects-performance

Cross-organizational Compliance

Compliance is a fact of life in regulated and other security-conscious industries. Seeker provides dashboards to ensure compliance not only to industry standards such as OWASP and PCI, but to internal standards defined by your own organization.

For example, in the view below we have OWASP Top 10 (top table) and PCI-DSS v3 (bottom table), it shows how many of the projects we have selected for comparison have passed this compliance category and how many failed.
cross-organizational-compliance

Technologies

Supported Testing Platforms

  • Java (1.5 or Higher)     Tomcat, WebSphere, WebLogic, JBoss, Glassfish or any J2EE Server
  • .NET (2.0 or Higher)     IIS
  • PHP (5.2 or Higher)      Apache, IIS
  • PL-SQL                        Oracle
  • T-SQL                          MS-SQL Server

Supported Languages

  • Java
  • C#
  • PHP
  • JavaScript (Client Side)
  • VB.Net
  • Scala (incl. Lift)
  • Groovy
  • Clojure (JVM, CLR)
  • PL-SQL
  • T-SQL

Supported Frameworks

  • Java/JVM – Struts, Spring, GWT, Play, Enterprise JavaBeans (EJB), Hibernate, Grail, Velocity, Vaadin, Seam, OWASP ESAPI
  • .NET/CLR – Sharepoint, ASP.NET MVC, Enterprise Libraries, NHibernate, MS Unity, NIjnect, NVelocity, Spring.Net, Telerik, Entity Framework, OWASP ESAPI
  • PHP – Zend, Laravel, Phalcon, CodeIgniter, Symphony, OWASP ESAPI, CakePHP, Smarty, Yii, Kohana

Supported Databases

  • Oracle
  • MS-SQL
  • MySQL
  • DB2
  • PostGreSQL

Supported Applications

  • Web (incl HTML5)
  • Mobile (over HTTP)
  • AJAX
  • GWT (Google Web Toolkit)
  • Web Services
  • SOAP
  • RESTful
  • JSON

Application Life Cycle Management Integration

Continuous Integration and Testing Servers

  • Jenkins/Hudson
  • HP Quality Center
  • IBM ClearCase
  • Microsoft Team Foundation Server
  • TeamCity
  • Bamboo
  • Any Platform via Seeker CLI or REST API.

Automatic Testing Frameworks

  • Selenium
  • HP Quality Center
  • IBM ClearCase
  • Apache JMeter
  • Any Automatic Testing Framework via Seeker Proxy & CLI

Bug Tracking and Ticketing Systems

  • JIRA
  • HP Quality Center
  • IBM ClearQuest
  • Microsoft Team Foundation Server
  • Bugzilla
  • Trac
  • Mantis
  • VersionOne
  • Rally

More

“IAST solutions should be adopted by all IT organizations that develop or procure applications”

Hype Cycle Application Security 2013 Gartner – July 2013

The Vulnerable Lines of Code

Seeker provides detailed information regarding the exact location of the vulnerability in the application code, the tier on which the code is deployed, and the path the malicious input went through from entering the application to the actual vulnerability.

the-vulnerable-lines-of-code

Detailed Context-based Remediation Instructions

Seeker uses information on the application, programming language, framework in use, components and databases to gives clear explanations of the problem and the shortest and most effective remediation to fix it. Seeker analysis is carried out without actually requiring the source code itself. This allows security testing of any third-party code to integrate in the application, like open source libraries, components developed by external vendors or off-the shelf products. Seeker can give remediation to secure their interfaces, if their source code is not available.

Exploitation Explanations

exploitation-explanations

Seeker gives step-by-step explanations on how the vulnerability can be exploited by a hacker, including videos demonstrating the exploit on the targeted application. It allows developers, testers and managers to replay the attack and understand the consequences of the vulnerable code.

Vulnerability Reporting

Seeker test reports give an immediate view of the application risk level according to compliance criteria. Compliance can be built per classifications (such as OWASP Top10, SANS/CWE, PCI-DSS, etc. ) or according to custom needs.

vulnerability-reporting

Security Management Dashboards

security-management-dashboards

The centralized data repository stores information of all projects and tests in the organization. This allows privileged users to monitor and report the overall security risk level, vulnerability trend, and compliance status of applications, development teams, and projects in the organization. Seeker allows manager to pinpoint vulnerable systems and teams which need better attention.