When vulnerabilities are identified, Lucent Sky AVM also extracts intent - contextual information about what the developer intended to achieve when the vulnerabilities were introduced. The remediation algorithms then generate "Instant Fixes", secure code segments that directly replace vulnerable code while keeping its intent. When an Instant Fix could not be generated for a particular vulnerability, Lucent Sky AVM generates Guided Fix, remediation guidance that is contextually relevant, to help developers remediate the vulnerability effectively. For vulnerable software components, Lucent Sky AVM generates Guided Update to help developers update them to a secure version.

Instant Fixes are generated in three steps: understanding the intent of the vulnerable code and code that interacts with it, identifying a remediation mechanism based on best practices and security standards, and locating an ideal location in the codebase for the remediation so that the vulnerability can be remediated while maintaining the intent of the changed code and code that interacts with it. All Instant Fixes of a scan are then generated in a single process to ensure their consistency and reliability.

Lucent Sky AVM's remediation algorithms are context and intention-aware so Instant Fixes are generated in a way that maintain the functionality of the original code. Additionally, an independent algorithm verify the correctness of the Instant Fixes after they are generated as a fail-safe. However, any change of source code can potentially be "code-breaking". Therefore, applications secured by Lucent Sky AVM should go through the usual testing and QA processes, just as if a developer has made changes to the application.

Because the remediation is done within the source code, it has minimum impact on performance. Based on internal testing and user-reported metrics, more than 99% of the requests are processed in the same time by applications secured by Lucent Sky AVM when compared with their vulnerable counterparts. Although comparing Lucent Sky AVM with WAF or RASP solutions isn't really apple to apple, the performance impact of popular WAS or RASP solutions is around 18 times of the performance impact of Instant Fixes. You can find more information about performance impact in our blog post Lucent Sky works with New Relic to put offline security into runtime analytics.

While both are the product of intelligent algorithms, Instant Fixes and generative AI-based "code fixes" differ significantly in their reliability and applicability:

• Methodology: Instant Fixes are generated using intelligent remediation algorithms that understand the context and intention of the original code, following best practices curated by security experts. This ensures that Instant Fixes are secure, reliable, and functionally address the vulnerabilities. Generative AI-based code fixes are generated by large language models by finding the most statistically common pieces of code in the given context, therefore require careful reviews and potentially extensive modifications.
• Reliability: The algorithms behind Instant Fixes are designed to be consistent and reliable. Each Instant Fix is also independently verified to ensure that they effectively remediate vulnerabilities without impacting functionalities or introducing new issues. On the other hand, large language models are known to "hallucinate," producing suggestions that may be incorrect, irrelevant, or even introduce other vulnerabilities.
• Applicability: Lucent Sky AVM is designed to be integrated with the SDLC and can be used fully-automated, and Instant Fixes behave identically as code fixes wrote and committed by a human developer. Generative AI-based code fixes require review and potentially modification by experienced developers, and are best used as developer assistance instead of as part of the SDLC.

The time it takes to scan an application depends on the size and complexity of the application, as well as the capability of the system Lucent Sky AVM is running on. An application of one million lines of code can usually be scanned within 30 to 60 minutes.

If the application is made up of several smaller projects or modules (most large applications are), it is recommended to scan and secure the projects and modules in small groups or individually. Because Lucent Sky AVM uses hybrid analysis, project-by-project scanning has the same coverage and accuracy of scanning the entire application at once, but with much higher efficiency.

One of the largest applications scanned by Lucent Sky AVM has over five million lines of code. To enhance analysis and remediation efficiency, it is recommended to scan the projects that made up large applications one at a time, instead of scanning the entire application at once. This also reduces the amount of processing power and memory required.

Lucent Sky AVM has two scanning modes, Intelligent Scan and Comprehensive Scan. Intelligent Scan automatically detects the part of an application that need to be scanned. Comprehensive Scan scans all source code and libraries, while also giving the user the ability to specify what parts to be scanned by their namespaces and classes.

Because the contextual and intentional information Lucent Sky AVM uses to remediate vulnerabilities usually span across modules and classes, it is recommended to use Intelligent Analysis and let Lucent Sky AVM selects the scanning scope.

Third-part libraries, either in binary forms such as .dll or .jar files or in source code form, are scanned with binary and source code analysis along with the applicaiton for unknown vulnerabilities. In addition, libraries and other dependencies are also scanned with software composition analysis for known vulnerabilities. Instant Fixes and remediation suggestion are available for unknown vulnerabilities, and dependency update guidance are available for known vulnerabilities.

Lucent Sky AVM uses multi-stage hybrid analysis as the basis of its remediation algorithms. Data flow, control flow, contextual, and intent-based analysis identify not only the location of vulnerabilities, but their context as well. Through the use of intent-based analysis, when a vulnerability is identified, Lucent Sky AVM evaluates the risk brought by the vulnerability, and remove vulnerabilities with minimum risk. This allows Lucent Sky AVM to have a lower rate of false positives comparing to SAST tools. For those false positives that slipped through, users can use the suppress feature to prevent them from reappearing in future scans.

• Interactive, cryptographically-signed HTML report with the ability to filter and search vulnerabilities
• PDF report
• Cryptographically-signed XML report
• Direct database access via WCF API

Lucent Sky AVM can be deployed in three ways: on the cloud (Microsoft Azure, Rackspace or Amazon AWS), installed on a Windows server as software, or as a pre-configured appliance. You can find details about system requirements in the datasheet.

Updates to Lucent Sky AVM fall into two categories, Minor Releases and Servicing Updates. Minor Releases ship roughly every three to four months, and include new features (such as new identification algorithm, remediation algorithm or compiler), and support for new standards (such as new vulnerability categories, and new versions of frameworks and libraries). Servicing Updates ship between each Minor Releases as needed, and include fixes of product issues or other urgent updates. In addition, cloud-delivered intelligence provides real-time information to identify vulnerable software dependencies.

Lucent Sky AVM integrates with source control systems, such as Azure DevOps (TFS), CVS, Git, and SVN, through CLI or IDE plug-ins. Learn more about integrating Lucent Sky AVM with your CI or build server.

Lucent Sky AVM integrates with most CI servers and build servers through CLI or API. Learn more about integrating Lucent Sky AVM with your CI or build server.

Lucent Sky AVM is compatible with applications developed for .NET, ASP, Android, C/C++, Go, iOS, Java, Lua, PHP, Python, Ruby, Rust, and Visual Basic. It also supports cross-framework languages such as CFML, Dart, ECMAScript (including ActionScript, JavaScript, and TypeScript), HTML, and SQL, and data interchange languages such as JSON, XML, and YAML. To learn more about the application frameworks and languages supported by Lucent Sky AVM, visit Application frameworks and languages supported by Lucent Sky AVM on Lucent Sky Docs.

Lucent Sky AVM is licensed with both User Client Access License (User CAL) and Core License. Client Access License determines the number of users who can access a Lucent Sky AVM Server at the same time, while Core License determines the maximum number of processor cores can be used by a Lucent Sky AVM Server. To learn more about the license structure, visit Lucent Sky AVM licensing overview on Lucent Sky Docs.

All license of Lucent Sky AVM Standard Edition and Enterprise Edition allow for an unlimited number of scans within the scope of the license. Multiple simultaneous scans are allowed under a single license.

No. Applications secured by Lucent Sky AVM will function without any Lucent Sky license. It will continue to function should your license of Lucent Sky AVM expire.

Lucent Sky AVM licenses grant you the ability to scan applications in all the technology stacks and languages we support now or introduce through the duration of your subscription.

To accurately represent the size of an application, Lucent Sky AVM checks both the lines of code of the application, as well the size of the libraries used by it. Common 3rd-party libraries (such as Entity Framework and Spring MVC) do not count against the library size limit.

If your Lucent Sky AVM is licensed with a LOCe (lines of code equivalent) limit , you can either keep using the LOCe limit or convert it to a LOC + library size limit.

Each licensed user is able to access Lucent Sky AVM from multiple locations and interfaces (such as web UI, IDE plug-ins and CLI) simultaneously.

Lucent Sky AVM can only be used to scan applications directly owned or developed by the licensee. Scanning 3rd-party (including licensee's affiliates) applications is prohibited. If you are a service provider interested in using Lucent Sky AVM to provide services, or have other licensing questions, contact Lucent Sky support and a licensing engineer will get in touch with you.

Yes. When creating an application or starting a scan, users have the option to enable or disable various Vectors (such as web request or database) and Rules (such as cross-site scripting or SQL injection) to change the types of vulnerabilities that will be identified. Advanced users can also fine tune Lucent Sky AVM's analysis behaviors by modifying its rule package, a set of XML files that dictate what constitutes a vulnerability. To learn more about how to customize rule packages, contact Lucent Sky support.

Yes. Out-of-box, Lucent Sky AVM remediate vulnerabilities following industry standards and best practices. Users can change the mitigation algorithms' behavior by modifying the rule package. For example, a user can specify that "for all privacy violation vulnerability from database in these .NET applications, use my company's standard DLP library to remediate them." To learn more about how to customize rule packages, contact Lucent Sky support.

SAST tools are commonly used by security teams, and focus on vulnerability discovery and gatekeeping to ensure the security level of released applications. Lucent Sky AVM is mostly used within development teams, and focuses on vulnerability remediation to increase the efficiency of SDLC. Some organizations use Lucent Sky AVM in combination with their existing SAST tool — automating the vulnerability remediation early in the SDLC to greatly reduce the number of vulnerabilities found by SAST before releasing applications.

It depends. Many organizations conduct security testing near the end of a product development lifecycle or after the application has already been released. In such cases, Lucent Sky AVM will be used before testing to enable developers to greatly reduce the number of vulnerabilities in their source code prior to security testing, and the back-and-forth of the application source code between development team and security team.

For applications that are already released and security testing has found vulnerabilities that need to be removed, Lucent Sky AVM is deployed at the stage when traditionally a person would manually remediate the vulnerabilities. Lucent Sky AVM scans the source code and generate a secured application that can be tested and re-released.

Lucent Sky AVM can be configured to remediate vulnerabilities identified by certain SAST tools, such as Checkmarx CxSAST, Fortify SCA, and Klocwork. To learn more about using Lucent Sky AVM to accelerate the remediation of vulnerabilities found by your SAST tool, let us know and one of our team members will get in touch with you.