![INTERNAL
© confidential 8
Summary
Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST)
Technology Support Strong Technology support Strong Technology Support Moderate Technology Support
Integration for DevOps
Strong candidate for
Integration with DevOps
pipeline with ease of
deployment and configuration
Good candidate for Integration
with DevOps pipeline with ease
of deployment and configuration
Moderate candidate for
Integration with DevOps pipeline
with ease of deployment and
configuration
False Positive
Elimination
AI powered security assistant
allows elimination of False
Positive
Doesn’t offer any False Positive
elimination capability
Doesn’t offer any False Positive
elimination capability
Speed & Scanning
Accuracy
Strong candidate due to speed
and accuracy
Good candidate due to speed
and moderate accuracy
powered by Legacy CheckMarx
Technology[multiple data
structure scan]
Moderate candidate due to
speed and accuracy
Business Logic
Analysis
Capability to identify business
logic vulnerabilities during
development e.g. Privilege
Escalation, malicious code
detection
Capability to identify business
logic vulnerabilities during
development e.g. Privilege
Escalation, malicious code
detection
Doesn’t offer Business Logic
Analysis](https://image.slidesharecdn.com/iasttoolspocreportv1-250115070736-18420b96/85/IAST-Tools-POC-Report-for-interactive-testing-8-320.jpg)
IAST Tools POC Report for interactive testing
- 2. INTERNAL © confidential 2 Objective Conduct Proof of Concept to evaluate IAST Tools against ELC centric requirements as per ELC directions and along with ELC Team Perform Technical Evaluation against defined parameters Score each IAST tool against technical evaluation parameters Conclusion
- 3. INTERNAL © confidential 3 Tool Evaluation Criteria Evaluation Criteria Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Ease Of Installation Configuration and maintenance Easy to install, configuration and maintain tool. Easy to install, configuration and maintain tool. Easy to install, configuration and maintain tool. Tools Hardware Specification • 32 GB RAM. • CPU-8 Core. • Operating system CentOS/Ubuntu/Windows • Free disk space-300GB. • 32 GB RAM. • CPU 4 Core • Operating system – Windows/Linux • Free disk space-500GB • 8 GB RAM. • CPU 4 Core • Operating system- Windows • Free disk space-200GB In-build Tool Benefits • IDE integrated Scan for easy of remediation. • Support Incremental and Asynchronous scans • IDE integrated Scan for easy of remediation. • Support Incremental and Asynchronous scans • Doesn't support IDE integration • Support Incremental and Asynchronous scans. Tool Flavors • Offers both UI and Command line usage • Offers only UI and Command line usage • Offers only UI
- 4. INTERNAL © confidential 4 Tool Evaluation Criteria Evaluation Criteria Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Technology Support ASPNET,C#,Clojure, Gosu, Groovy, Java, JavaScript (Node.js), Scala (Inc. Lift), VB.NET Java, JavaScript (Node.js), ASPNET,C# Java, .NET and Node.js Integration and Automation capabilities Tool has good integration with DevOps Orchestration and support optimum automation capabilities. Tool has good integration with DevOps Orchestration and support optimum automation capabilities Tool has good integration with DevOps Orchestration and supports heavy automation capabilities Tool implementation time frame < 1 day to install and configure the setup <2 days to install and configure the setup <2 days to install and configure the setup Reporting Excellent – easy to understand report Good – easy to understand report Moderate – report are not comprehensive Accuracy of security Findings Higher number of findings with good accuracy Higher number of findings however lacks accuracy Moderate number of findings however lacks accuracy
- 5. INTERNAL © confidential 5 Tool Evaluation Criteria Evaluation Criteria Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Environments Development, QA, Production Development, QA, Production Development, QA an dProduction Speed Instant (at runtime) Instant (at runtime) Instant to hours How It Works Analyzes code and behavior of running apps through instrumentation Analyzes code and behavior of running apps through instrumentation Analyzes application during Manual testing phase and identify vulnerabilities Allows Continuous Security Testing YES YES YES CI/CD Integration YES YES YES Vulnerable Coverage High Moderate Medium Accuracy Score: 100% Score: 100% Low Vulnerabilities Detection on Outsourced Developments YES YES NO
- 6. INTERNAL © confidential 6 Tool Evaluation Criteria Evaluation Criteria Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Licensing Model a) License based on the number of applications. a) License based on number of applications a) License based on number of applications.
- 7. INTERNAL © confidential 7 IAST Tool Scoring Sr.No Scoring Parameters Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Operational 1 Installation/Configuration and Integration 8 6 6 2 In-build Tool Components 7 7 6 3 Tool Flavor 8 8 8 4 Licensing Model 7 7 6 5 Costing 8 6 6 6 Reporting and Scanning 8 8 7 Technical 7 Language/Technology Support 9 6 6 8 Overall Effectiveness of Tool 9 7 6 9 Report Comparision & Review 7 6 6 Overall Score 71 62 57
- 8. INTERNAL © confidential 8 Summary Seeker(Synopsys) Checkmarx(IAST) AppScan(IAST) Technology Support Strong Technology support Strong Technology Support Moderate Technology Support Integration for DevOps Strong candidate for Integration with DevOps pipeline with ease of deployment and configuration Good candidate for Integration with DevOps pipeline with ease of deployment and configuration Moderate candidate for Integration with DevOps pipeline with ease of deployment and configuration False Positive Elimination AI powered security assistant allows elimination of False Positive Doesn’t offer any False Positive elimination capability Doesn’t offer any False Positive elimination capability Speed & Scanning Accuracy Strong candidate due to speed and accuracy Good candidate due to speed and moderate accuracy powered by Legacy CheckMarx Technology[multiple data structure scan] Moderate candidate due to speed and accuracy Business Logic Analysis Capability to identify business logic vulnerabilities during development e.g. Privilege Escalation, malicious code detection Capability to identify business logic vulnerabilities during development e.g. Privilege Escalation, malicious code detection Doesn’t offer Business Logic Analysis
- 9. INTERNAL © confidential 9 Summary- Conclusion Tool Evaluation : Tool that were evaluated are Seeker, Checkmarx and Appscan. Summary of Finding : Considering overall DevSecOps requirements and IAST to be performed by developers our choice of tool will be Seeker. The IAST tools in-scope cannot be compared apple-to-apple considering they have unique factor which competitor tools wouldn’t possess.
- 10. INTERNAL Thank You for your time Cybersecurity & Risk Services Wipro Limited