Doubling down on components: SCA and Container Security on the Invicti platform

Completing the essential triad in application security testing, Invicti is adding comprehensive SCA to its existing SAST and industry-leading DAST capabilities. Through its strategic partnership with Mend, Invicti can now offer world-class static SCA on its AppSec platform, enhancing its existing DAST-based supply-chain security capabilities of dynamic SCA and web tech stack analysis.

To provide multiple layers of component security checking, Mend SCA on the Invicti platform operates both at the code level and the container level. Code and container SCA results are reported within a unified platform and interface alongside DAST, SAST, IAST, and API Security results for maximum coverage with centralized visibility.

Supply-chain security from the inside and out

Widespread reliance on open-source software components has made software composition analysis (SCA) a vital part of any application security toolkit, but getting usable results requires more than merely identifying components with known vulnerabilities. For many years, Invicti has provided dynamic SCA combined with outdated technology detection as part of its DAST solution. This dynamic approach has the advantage of greatly cutting down on false alarms by providing a runtime insight into security gaps that are actually externally accessible, but it is restricted to components that are in use during analysis.

Conventional static SCA, on the other hand, operates already in development and can also cover components that aren’t currently being used at runtime. This maximizes coverage but at the cost of potential extra noise if a flagged component is never called at all and thus is not a priority to fix—not to mention the risk of a flood of false positives from low-quality tools. Invicti’s strategic partnership with Mend combines the best features of static and dynamic component analysis on a single AppSec platform to deliver more actionable results than static SCA alone with broader coverage than dynamic SCA alone.

Invicti’s DAST-based approach to supply-chain security has always combined multiple avenues of vulnerability testing. To start with, all running components are subjected to the same security checks as the entire app to identify weaknesses that could allow for attacks like SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and hundreds more, including bespoke security checks related to specific high-impact CVEs. At the same time, application components are fingerprinted and checked against known CVEs in our vulnerability database, in effect performing dynamic SCA. Tech stack components are also detected and flagged if vulnerable or outdated, adding yet another layer of security.

Invicti’s dynamic SCA is successfully used by thousands of companies worldwide to get a realistic view of their component security in the broader AppSec context. Add to that static SCA powered by Mend and you have a static+dynamic combo that gives customers unique composition analysis insights from the inside and out—think of it as SAST+DAST but specifically for components. 

Homing in on pre-packaged components with Container Security

Running services, applications, or even entire tech stack components in containers is now the norm for cloud-based software development and operations. Containers add scalability, flexibility, and convenience to application deployments—but at the cost of added complexity and opacity that may obscure security issues. In the same way as pre-built software libraries and modules are the components from which applications are assembled, containers are the components that make up entire application environments.

Especially at scale, you won’t always know everything that goes into each container, just as you won’t always know every single piece of code that contributes to your codebase. In both cases, the technology-agnostic nature of DAST makes it the go-to approach for ensuring you’re testing your actual attack surface, irrespective of how a specific application or service is written or deployed. In other words, if it runs, you can test it for vulnerabilities without knowing or caring what’s going on inside, and Invicti customers have been successfully doing that for years across their entire application environments.

Container Security powered by Mend complements dynamic testing on the Invicti platform with static analysis of container components. While a DAST scan can find vulnerabilities once a specific container is running, Container Security can identify and flag vulnerable containerized components already during development, cutting down on the number of downstream security issues. Dedicated container testing also helps you avoid duplicating vulnerabilities later when one vulnerable container is instantiated and tested across multiple applications.

One platform for dynamic and static testing of code, components, and containers

Invicti’s DAST-based platform already covers a lot of ground with its own DAST, IAST, API Security, dynamic SCA, and 50+ workflow integrations, providing CISOs with maximum visibility while also providing developers with actionable vulnerability reports. Through our strategic partnership with Mend, we add static analysis on multiple levels to deliver more information about more vulnerabilities on a single platform:

• Invicti’s DAST and IAST tools test running apps while SAST powered by Mend analyzes their source code.
• Invicti’s dynamic SCA and technology detection features flag vulnerable libraries, frameworks, and tech stack components in running apps while static SCA powered by Mend checks all code-level components, whether they’re loaded or not.
• Invicti DAST indirectly scans containers by testing containerized apps and services while Container Security powered by Mend directly checks containers for vulnerable components.

When you combine black-box and white-box testing in one place and one centralized view, you realize there is no box—there is only AppSec. And you’re in control.