Vulnerability Import and Merging
Large organizations use a variety of tools to detect vulnerabilities. These often include both commercial and open source tools that provide both static and dynamic analysis of applications. In addition, different divisions within organizations use different scanning tools and practices. When multiple tools are used there is a need to correlate and merge the results to get a true picture of the security state of the application. Vulnerability Manager can import results from a variety of tools. In addition, Vulnerability Manager supports automatic and manually-assisted merging of vulnerabilities so that static and dynamic results can be correlated. Well-defined software interfaces allow for organizations to easily create import capabilities for new tools as long as the results are available in a structured format. Basic importers can be created in just a few hours of coding and these importers can be incrementally improved over time.
| Static | Dynamic | |
|---|---|---|
| Commercial |
IBM Rational AppScan Source Edition (formerly Ounce Labs) Fortify SCA/360 (unreleased) Checkmarx |
IBM Rational AppScan WhiteHat Sentinel Mavituna Netsparker |
| Freely-Available |
Microsoft CAT.NET OWASP Orizon FindBugs |
Vulnerability importers for new technologies can easily be supported by extending the Vulnerability Manager using well-defined software interfaces.
Please note that these importers are part of the Vulnerability Manager and are neither endorsed by nor supported by the associated scanning technology vendors at the current time.
