Application vulnerability correlation (AVC) is an important capability of an integrated MAVERIX DevSecOps platform. Application security tools (AST) such as Open Source Analysis (OSA), Static Application Security Testing (SAST), Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Behavioral Application Security Testing (BAST) are generating thousands of security issues. These issues need to be consolidated for automated review to eliminate false positives and deduplication. Security engineer should be able to group related security issues under one security defect, prioritize all security defects holistically and submit selected security defects to software defect management.
MAVERIX imports security issues from AST tools. Security issues inherit their original priority assignments. Security engineer can review all issues to identify false-positive and mark them accordingly. After the next security scan by the AST tool, Maverix will remember false-positive allocation. Having all the required information about security issues and development environment, MAVERIX can apply machine learning (ML) algorithms for automatic review and identification of false-positives.
Correlation module provides a unified user interface to security engineers with all the required information about specific build and stage in CI/CD pipeline. Security engineer can determine whether the latest available AST scan can be used to validate whether the security defect marked by developer as fixed has been really fixed. Depending on the context, security issues can be grouped by different criteria such as section of code, artifact, file. When grouped, security defects are then marked as “open” for synchronization with defect management software.