NetSPI Launches SAST and SCR Services
July 28, 2020

NetSPI launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services.

An element of NetSPI's efforts to revamp the way businesses view application security, the new services aid development teams in establishing a more strategic approach to building secure applications. Key to NetSPI's multi-level secure code review services involving SAST and SCR is a thorough inspection of source and compiled code to ensure security risks are eliminated before software is deployed to production, at which time the cost of remediation could increase exponentially.

"With Continuous Integration/Continuous Deployment [CI/CD] increasingly becoming the backbone of the modern DevOps environment, it's more important than ever to detect and address vulnerabilities through Static Application Security Testing and Source Code Review processes, a service that is complementary to an organization's penetration testing efforts," said Nabil Hannan, managing director at NetSPI. "Both testing functions enable more comprehensive vulnerability detection and, in many cases, identify vulnerabilities that are not possible to discover during dynamic testing and analysis."

NetSPI's SAST and SCR services are offered in various engagement structures, giving application and software development teams options to leverage the appropriate level of testing depth to detect, validate, and resolve security issues based on the business criticality and risk profile of their applications. The services are also a solution to adhere to application development compliance standards, including PCI DSS and HIPAA. NetSPI's SAST and SCR offerings include:

- Static Application Security Testing (SAST)—A static analysis performed with a combination of commercial, open source and proprietary SAST tools, resulting in an assessment report from NetSPI that describes found vulnerabilities and actionable remediation guidance. Additionally, NetSPI offers a streamlined, more economical SAST service which focuses on testing around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.

- Static Application Security Testing (SAST): Triaging—As an augmentation to an organization's internal use of SAST tools in Application Security Programs, NetSPI offers triage services. By analyzing the data and assigning degrees of urgency on behalf of the security teams, NetSPI can validate the exploitability of vulnerabilities to remove any false positive findings, allowing development teams the time to focus exclusively on remediation.

- Secure Code Review (SCR)—Building off the SAST offerings, NetSPI's SCR offering employs cyber security experts to review underlying frameworks and libraries that are being leveraged to build the application. From there, manual testers identify vulnerabilities that automated scanners cannot detect, such as complex injection attacks, insecure error handling as well as authentication and authorization issues. Additionally, NetSPI offers a streamlined, more economical SCR service which focuses only on reporting around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.

NetSPI's instructor-led training program around secure coding and remediation for development teams is made available to clients after completion of Static Application Security Testing (SAST) or Secure Code Review (SCR) engagements. Available for up to a class size of 20, NetSPI's one-day training program details the top five categories of vulnerabilities identified in the SAST or SCR engagement and provides insights specific to that organization as well as remediation or mitigation techniques.

"We've seen a movement to the left, in terms of prioritizing SCR earlier in the SDLC process as Application Security Programs have evolved," said Hannan. "We support this strategic approach to security as it is critical to identify and remediate vulnerabilities, and in some cases even prevent them, during the software development phase."

Share this

Industry News

August 12, 2020

Datadog announced the general availability of Continuous Profiler, a low-overhead 24x7 code profiler that measures the performance of code in production.

August 12, 2020

Pulumi announced significant new capabilities for Kubernetes, including cloud native deployment automation options, ecosystem integrations and migration tools.

August 12, 2020

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the availability of a new training course, LFS268 - CI/CD with Jenkins X.

August 11, 2020

Datadog announced the launch of Incident Management.

August 11, 2020

Progress announced the latest release of Progress® Test Studio®, the automated UI load and performance testing tool.

August 11, 2020

Symmetry Systems emerged from stealth a year after raising $3 million in seed funding.

August 10, 2020

Red Hat announced the launch of Red Hat remote certification exams.

August 10, 2020

Signal Sciences announced an integration with Microsoft Azure App Service for the Signal Sciences next-gen Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP) solution.

August 10, 2020

Copado announced Copado Government Cloud to help government agencies accelerate the time-to-value of Salesforce digital transformation projects.

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.