Seeker FAQ: Interactive application security testing and CI/CD
Our Seeker FAQ provides answers about Seeker IAST, active verification, integration into CI/CD pipelines, configuration, sensitive-data tracking, and more.
Do you face challenges in integrating or automating application security testing in your CI/CD pipeline? Is security slowing down your teams? Are your development teams tired of all the false-positive noise? Are you looking for a one-size-fits-all application security testing strategy for DevOps? Do you need to know how to minimize your attack surface in this era of increasing software complexity and user demands?
If you said yes to any of these questions, you might want to watch this short on-demand webinar, where we discuss how digital transformation has created an even playing field and widened the digital divide when it comes to building a secure CI/CD pipeline. We also demonstrate a next-generation application security tool, IAST, to show how it helps both development and security teams perform continuous runtime security testing within CI/CD pipelines.
For those who attended the live webinar, we thank you for the lively discussions and questions about Seeker and IAST. As promised, this Seeker FAQ provides responses to the questions we didn’t have time to address. (Note: We’ve grouped similar questions together.)
What does Seeker do when security is compromised in real time?
Seeker is a modern interactive application security testing (IAST) tool that works best on an application under test as part of a stand-alone, automated, or CI/CD process. It helps shift security testing left, enabling you to catch application runtime vulnerabilities earlier in the SDLC. Seeker performs security monitoring, detection, and testing concurrently in the background while your teams carry out their usual functional tests. When it detects a security vulnerability, its unique patented active verification engine automatically replays, retests, and verifies in real time whether the vulnerability is real and exploitable. You can also configure Seeker to automatically create a bug ticket or break the build during CI and send instant alerts to developers and security teams if there are high-severity critical bugs that need immediate attention.
Unlike runtime application self-protection (RASP) tools, which are used more as a last-mile defensive mechanism (typically late in the SDLC), Seeker enables both security and development teams to implement a proactive and agile security approach early in the SDLC. Seeker’s integration with Black Duck Binary Analysis and Synopsys eLearning provides both runtime behavior and code-level insights into your custom code and third-party and open source components, with remediation guidance and learning on the go. Seeker equips your DevOps team with the knowledge they need when they need it to do their job effectively.
Does Seeker integrate with TFS and git-tfs?
Seeker has a broad set of APIs that allow it to integrate with any version control system or bug-tracking tool or system. We’re continuously adding out-of-the-box integrations with developer tools. For the latest information, check our website.
How much does Seeker cost?
You can license Seeker on a per team-based license model. Please contact our sales team for more information.
Is there a trial version of Seeker?
We’d be happy to provide a demo and trial version. Please contact our sales team for more information.
How is Seeker better than traditional DAST?
Since DAST tools perform black box testing, there is no easy way to trace a vulnerability back to its source. Addressing issues found by DAST requires extra cycles to validate findings and locate the vulnerability in the code. DAST also produces a higher rate of noise in general. Seeker, on the other hand, can provide more accurate results with fewer false positives because when it finds a vulnerability, its patented active verification engine automatically replays and retests the finding in real time to ensure it’s real and exploitable.
DAST is not ideal for highly iterative, CI/CD environments, as a single test can take days to complete. But with Seeker, you get real-time results immediately—within the same second. Seeker can also correlate the entry point (target URL) with the code location, speeding up remediation time (unlike DAST, where such info not available).
In addition, Seeker’s integration with Black Duck Binary Analysis and eLearning provides DevOps and security teams insights into not just their own custom code and components but third-party and open source components as well. Its integration with Synopsys eLearning further provides remediation guidance and tips that allow teams to remediate and fix issues on the go.
Can I use Mabl automation with Seeker?
Seeker, like any IAST tool, is good at detecting vulnerabilities in web-based and mobile web-based applications. It works well with any test automation framework capable of driving traffic to a web application.
If I have the budget for only one tool this year, do you recommend Seeker, Black Duck, or Coverity?
It really depends on your objective, what type of software development and delivery framework you have in place, and who the tools are for.
| Use case | Recommendation |
| You’re concerned about the risks from third-party or open source code and components in your applications. | Your first priority should be to put in place a software composition analysis solution, such as Black Duck. |
| Your development teams use multilanguage tools and frameworks, and you’re concerned about the lack of secure coding practices among your developers. | A SAST tool such as Coverity can support your developers’ needs. |
| You’re just starting out with application security in your organization, or you’re starting on a smaller scale (project or team level). | An IAST tool such as Seeker will provide the best value. You’ll get both runtime analysis insights and source-level information. Best of all, Seeker integrates Black Duck Binary Analysis, which provides you further insights into vulnerable third-party components. |
Is Seeker open source?
No, Seeker is not open source software.
Does Seeker have any operating system (OS) level dependencies?
Seeker runs on both Windows and different Linux flavors.
Who is responsible for writing tests to run: Seeker or the customer?
Seeker relies on test cases created by your development and testing teams. You don’t need to develop additional security-specific test cases, and you don’t need extra security scans or tests in your CI/CD workflow. Seeker automatically monitors your application under test and detects security vulnerabilities in the background.
Does Seeker work with fully automated testing?
Yes, Seeker works best when there are structured test cases and/or automation in place.
What languages does Seeker support? What about Python?
Seeker supports all widely used languages, such as Java, .NET, and Node.js. We’re continuously working to increase language coverage. For the latest info, check out the Seeker datasheet.
Does Seeker provide remediation and fixes for the code?
When Seeker finds a vulnerability, it provides remediation advice and sample code to address the vulnerability. It’s also integrated with Synopsys eLearning, which makes it easy for nonsecurity professionals to learn about and remediate issues on the fly.
Do we need to set up a separate enterprise server to install and configure Seeker?
Yes, you’ll need to set up a Seeker enterprise server. However, installation and configuration are fairly simple.
You mentioned data breaches. How does Seeker track sensitive data, and how does it differ from other tools?
Seeker is the only IAST tool that can find sensitive-data leakage vulnerabilities by doing pattern matching on values. It sees values at runtime and looks for patterns to detect sensitive-data leakage accurately and comprehensively. Traditional DAST tools can’t do this, and SAST tools can detect sensitive-data leakage only by looking at static code, with no visibility into runtime values. As a result, they’re not as accurate as Seeker.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Kimm Yeo. Read the original post at: https://www.synopsys.com/blogs/software-security/seeker-faq-iast-cicd/
