TauruSeer Launches On-Demand Vulnerability Scanner in CI/CD Pipelines for Effective Security Automation
Apr 23, 2019
Latest release of TauruSeer's free Scanner tool enables scanning automation in existing build and deployment processes using native plugins for CI/CD tools, like Jenkins. Ensure your environments are continuously free of common security issues, and further, correlate more tools to generate additional insights through TauruSeer's analysis engine such as:
April 23, 2019, Jacksonville, FL
– TauruSeer today announced that it’s on-demand vulnerability scanning service has launched for customers that build and maintain software in Cloud-Native DevOps environments (or on-premise if an organization does not permit data to leave the environment).
Managing software and systems risk is a black box to organizations. Executives and teams lack comprehensive and accurate visibility of risks and how they should prioritize work efforts to managing that risk. At the speed of business today, a closed-loop discover>>prioritize>>validate remediation process
for continuous assurance is now a requirement. TauruSeer's scanning service offers a fast, convenient, and cost-effective way to bring that security assurance early in the software development lifecycle, and all the way throughout the build, deployment, and production phases.
Moving fast requires building software based on container technology, open source, programming languages, frameworks, libraries and other dependencies in DevOps environments, accelerating development and improving innovation speed and agility. It's like building a house with Lego blocks, with no way to validate security. And developers must check, not just their code for vulnerabilities, but also their dependencies to make software more secure.
Unchecked code and dependencies, unmanaged substandard development techniques, and third-party open source introduce potential risks and vulnerabilities, produce process inefficiencies, reduce productivity, and create higher costs as security gates become blockers.
To enable organizations to fully embrace DevOps speed safely and securely, TauruSeer built a unique SCA technique, "Software Dependency Vulnerability Mapping," complementary to other static (SAST) or dynamic (DAST) code analysis techniques (which the
platform can also integrate with).
Tauruseer’s Scanner technology can be set to continuously run enterprise-wide across all your products, and any time code is updated or changed. It catalogs your inventory of all code-level components, mapping to known vulnerabilities. This data is also used to track and alert to “code at rest” and “code rot / software decay” issues. These additional insights are important for lifecycle planning, maintenance, performance improvements, and cost reductions.
By offering an accessible security scanner, organizations can automate security integration into their development and delivery cycle against a database of over 5 million common vulnerability signatures, including language-specific in Python, Java, Javascript, NPM (Node.JS), .NET, C/C++, Ruby, and Linux packages. TauruSeer checks for known vulnerabilities based on multiple aggregated sources, including NVD, vendor-issued security advisories, proprietary CVE data streams, and information from software developers. In addition, TauruSeer's team further compares and resolves results to eliminate false positives.
FEATURES
- Set it and forget it. Schedule recurring scans and automate insights for real-time, daily, or monthly results.
- Secure software from the start. Use our API to seamlessly integrate security scans into development workflows.
- Active where you are. Connect with work item tracking or other communication tools to easily get notifications where your teams are already working.
- Your data your way. Export results in CSV, JSON, or XML to import into other services or include in your own evidence gathering reports for compliance.
How TauruSeer’s On-Demand Vulnerability Scanner Works
TauruSeer's Scanner works by embedding an executable to run at build time on a build server to analyze source code, binaries, and configuration and glean useful information, such as framework versions, dependencies, database discovery, vulnerabilities, configuration risks, and beyond via TauruSeer's API. For custom implementations in more regulated environments, scans can easily comprise of other additional dependency detection plugins, vulnerability detection plugins, framework detection plugins, and SAST or DAST plugins, as examples.
In a hybrid connection, the scanner can exist within the organization's environments behind their firewall and constantly analyze the source code. From there, the scanner pushes generated or computed data—in contrast to source data—up to a data warehouse utilizing secure connections.
In the TauruSeer platform, this generates a Product-Centric Risk Modeling view of vulnerabilities found, their scores and severities, as well as suggested remediations. Then, TauruSeer further reduces complexity and alert fatigue by automatically prioritizing highest risk issues with our proprietary Risk Scoring engine. And without a closed-loop process there are no means to validate remediation—TauruSeer is the only platform that automates the end-to-end process of re-scanning to assure patches or updates had been made.
In addition to the context provided by the product-centric code inventory and vulnerability mapping gathered by Scanner, with the
integration of other tools, C-Level and IT Management can automatically pinpoint any failing builds or traceability back to code deployed by specific personnel into production that caused an outage, service impairment, or errors in data. This way, IT Management can highlight the team or individual needing help, allowing organizations to “win faster” by removing delivery impediments, ensuring services run correctly in production, and interruptions can be fixed quickly.
Furthermore, this information is automatically correlated with other tool data for dashboards and insight into suspicious activity patterns or malicious behavior, such as:
- Abnormal use of resources (e.g., a private code repository turned public, or developers inserting “back doors” or vulnerabilities into production)
- Deploying code without formal change approval processes
- Unauthorized access to production or pre-production environments
- System configuration risks (e.g., database, OS, networking, virtualization, storage, continuous integration servers)
DevSecOps: Teaming Up to Make It Happen
TauruSeer's security scanner allows teams to easily automate tests, including cross-site scripting (XSS) and SQL injections. Gain actionable, risk-based insight on how to fix security issues that are easy to understand so teams can solve problems independently and reduce internal threats.
- For Security Teams. Save days of work with automated security testing against OWASP and other databases for vulnerabilities. Respond to issues quickly within the platform or assign automatically in a work item tracking tool, like JIRA.
- For Developers. Automatically find weaknesses and vulnerabilities in your software from the moment you start building it. Connect to our API to run security scans on your build as you code, no need for security experts.
- For DevOps. Add Scanner to your DevOps workflow to integrate automated security scans into your infrastructure. Monitor your software for security flaws during its build and before deployment without compromising speed.
TauruSeer's Scanner is available for download:
The scanner can be run on a schedule or included in the build process and typically takes <5 minutes to complete.
- Azure DevOps (Service/Server) Plug-in
- Windows 7 / Windows Server 2012 or later (x64)
- Linux / Ubuntu 16.04 or later (x64)
- macOS 10.10 or later
About TauruSeer
TauruSeer enables customers to proactively manage cyber risk and execute faster in a secure and resilient environment from development to production, accelerating DevSecOps adoption and bridging the gap between Executives, Security, Compliance, and DevOps. TauruSeer’s NextGen GRC for DevOps Platform
offering cyber resilience solutions provides full visibility into the complete lifecycle of software products, processes, and activities. Integrated with software management and orchestration tools, systems management tools, and personnel management tools, the TauruSeer platform provides transparent, automated risk management while helping to simplify security and continuous compliance to regulations. For more information, visit www.tauruseer.com
or follow us on twitter.com/tauruseer.
TauruSeer was founded by software experts and security leaders with direct experience implementing Zero Trust and DevSecOps in global enterprise settings. The company’s comprehensive platform is currently in private beta, and their Scanner represents a small subset of the platform's capabilities. Organizations interested in becoming beta customers can request to join: hello [@] tauruseer dot com
SHARE!
More news and blogs
Start Left Security, a pioneer in the product security / cybersecurity space has been selected to participate in the Microsoft for Startups Pegasus Program
Gula Tech Adventures, Lytical Ventures, and Dasein Capital lead Seed investment in Start Left™ Security, supported by other strong investors: DeepWork Capital, Florida Opportunity Fund, and Bootleg Advisors. JACKSONVILLE, FL, June 27, 2023—Start Left™ Security, powered by the patented Tauruseer Application Security Posture Management (ASPM) Platform and SPACE™ Behavioral Analytics, today announced that it has oversubscribed and closed $3.0 million Seed financing led by notable cybersecurity, data analytics, and artificial intelligence (AI) venture capitalists and industry experts. This demonstrates the market’s confidence in Start Left™ Security's vision and its ability to deliver innovative solutions that address evolving security threats.
Introducing Start Left™ Security: Embracing a New Name, a New Perspective in Security
Achieve SOC 2 Compliance and Security Posture Management Maturity with Minimal Spend Leveraging Tauruseer's differentiated Cloud-Native Application Protection Platform (CNAPP): Security Posture Analytics + Cognition Engine (SPACE ™ ), Purpose-Built for Growth SaaS Startups and Small to Midsize Businesses.
Designed to enable cloud-native innovators to quickly scale, become enterprise-ready, and transact on the Azure marketplace.
“ Cloud security posture (CSPM) incumbents launched traditional approaches leaving huge gaps, as they don’t understand the needs of modern DevOps pipelines or developers.
Business Leaders: Is your DinoCISOaur holding your company back, slowing innovation, upsetting developers, and placing business at risk?
JACKSONVILLE, FL, June 9, 2020 – Tauruseer is the proud official presenting partner for SAE International's 2020 Government and Industry virtual conference! This conference is an opportunity to explore how technology, regulations, and legislation will affect the design of aerospace and defense solutions in terms of software, hardware, and product integrity. Tauruseer co-founders have been invited to present at the SAE G-33 to the entire Configuration Management Committee on how a model-based enterprise, adopting concepts such as " Shift Left ", the Product Centric Risk Model ™ , Inventory of Intelligence ™ , Centralizing Monitoring , and Continuous Assurance drives the way DevOps is supposed to be. Tauruseer will demonstrate what true DevOps looks like and how Tauruseer's platform can provide demonstrable evidence of DevOps done right. Furthermore, they will walk through how Continuous Assurance enables organizations to fully embrace DevOps through holistic change, resulting in quantifiable benefits: Enhanced Situational Awareness across product portfolio Enterprise Visibility (human, product, and process threats) Efficiency gains (productivity on the right things) Decreasing costs (intentionally designed controls) Reduced complexity (robust decision support) VERIFIED Governance, Risk, and Compliance "GRC" (Continuous Assurance) Tauruseer will highlight real-world examples that shine a light on how technology that we depend on everyday can make a difference between life and death. While DevOps seeks to balance throughput, stability, quality, and speed, Tauruseer assures organizations there is not compromise in security, performance, and compliance while doing so- especially when lives are at stake. Sharing stories enables better collaboration when standards, regulations, and legislation needs updating to align with continuously evolving product development practices. JOIN THE CONFERENCE! TAURUSEER PRESENTATIONS TIME: 1:55pm EDT TOPIC: Software SecDevOps and Configuration Management (CM) – Understanding the Challenges Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani TIME: 3:10pm EDT – 4:00 pm EDT TOPIC: Software SecDevOps and Continuous Assurance (CA) – Achieving Management’s Goals and Continuous Improvement through appropriate Configuration Management (CM) Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani Virtual Details: WebEx G33 Meeting Meeting number: 622 476 853 Meeting password: June2020 Call-in number: 1-866-469-3239 INFO: SAE International's G33 standards are adopted and enforced by NATO, NASA, FAA, DOE, DOD, aspects of the European Union, and the European Space Agency for large federal suppliers contracted to provide tamper-proofed audit trails, traceability, and trusted reporting of managed compliance as it relates to Software Configuration Management and Continuous Assurance. Visit Tauruseer's website and ask for a demo to showcase a variety of GRC for DevOps use cases: Proactive Security Continuous Compliance Conduct & Culture Insider Threat Reporting
Part 1 in this series: “ Risk Enabled Growth: Business Strategies to Leveraging Risk & Capitalizing on Digital Growth Opportunities " included the perspectives of cybersecurity and integrated risk management expert Jeff Sauntry of Risk Neutral, privacy, risk, and compliance experts Rob Harvey and Greg Kraft of Online Business Systems, and business strategy, product innovation, and product security expert Jeremy Vaughan from Tauruseer Inc. Watch if your role involves: - Maximizing value creation achieved at the synergy of talent, tangible, and intangible assets - Enabling trusted digital experiences for employees, partners, and customers - Oversight for Strategic, Operational, Financial, Compliance or Reputation Risk as part of your organization's 3-Lines of Defense (3LoD) - Mitigating the potential disruptive impact of events and unlocking the economic potential of your organization's resources and assets
Start Left™ Security is committed to equipping product teams with the tools they need to excel in delivering world-class software while propelling the careers of developers forward. Our AI-powered SaaS platform, backed by multiple patents, offers a robust suite of capabilities spanning software supply chain security, product security, security posture management, and secure code training in a gamified DevSecOps experience.
