Mind the (Security) Gap: Integrate and Automate Multiple Tools for a Complete View of Security

Central AppSec Management

Publish Date

Apr 5, 2018

Written by

Sal Sclafani

Tagged with

  • Vulnerability Management
  • Multiple Scanning Tools
  • Open Source
  • security scanning
  • security testing
  • Vulnerabilities

We are constantly bombarded with the importance of cybersecurity. There are hackers and crackers attacking continuously, attempting to exploit vulnerabilities that are unfortunately an integral part of every software and hardware system. This all makes it even more important to be able to confidently and accurately answer “How secure are we?”

To effectively answer this question, there is a critical need for tools that accurately assess vulnerabilities continually and provide visibility into a company’s security posture. There are many different security assessment tools in the market today, both commercial and open source. Which one is the best for you? Many organizations have a false sense of security when running just one scanning tool.  But while vendors may have you believe differently, no single tool is capable of finding each and every vulnerability that exists in your network or web applications.

Why?

False Sense of Security
Let’s take a real-world example of testing we just preformed for a customer. Using the ZeroNorth™ platform, we orchestrated the same scans against a combination of open source and commercial tools. The tools returned 90 percent of the same results. The 10 percent gap was due to a difference in their knowledge bases. The quality of the product’s internal knowledge base is really the most critical aspect of any vulnerability scanning tool and something not typically addressed when evaluating tools. Security assessment tools out there today all depend on very different knowledge bases, which means they can return very different results for the same scan.

No single tool, therefore, is capable of finding each and every vulnerability that exists in an environment. As we saw in our testing, each of the different tools gets you almost all the way there but not completely. Using multiple tools can address this, but this approach doesn’t effectively report and manage the disparate findings without manual correlation and analysis by your application security team.

Integrate Commercial and Open Source Tools for Comprehensive View
The ZeroNorth™ platform solves this challenge and optimizes the investment of your application security tooling. Our platform integrates with and automates the commercial and open source tools you already have in place. In addition, the platform has a vulnerability analytics capability which continually polls the CVE Details and NIST’s National Vulnerability Database feeds and correlates with the target application to provide real-time alerts to the security team. ZeroNorth returns results based on a complete security posture versus just the assessment of just one tool. You get all the internal product knowledge bases from multiple vulnerability scanning tools in one correlated view. Then you can generate reports that truly have the most complete information regarding the security of your software and hardware.

You can read here how our customer Cytobank eliminated gaps, reduced risk and is able to stay on top of any issues as they surface. Or contact us if you’d like a demo or discussion.


eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now

Videos

Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

Application Security

ZeroNorth Joins Veracode’s Technology Alliance Program

By ZeroNorth May 10, 2021

Companies looking to extend the power of better application security (AppSec) just received some good news! Veracode, the largest global provider of application security testing (AST) ...

Read More

Application Security

How Emerging AppSec Solutions Can Actually Boost Your ROI

By ZeroNorth Feb 9, 2021

Historically, investments in application security (AppSec) have been seen as financial black holes, with never-ending cost and complexity. And yet, they are a necessity in today’s ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.