Frequently Asked Questions

FAQ

STROBES is an application vulnerability management platform that provides a window into the state of your application security program and helps bridge the communications gap between security and software development teams. STROBES allows security teams to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using.

Vulnerability data is normalized to an internal data format to identify duplicated application scan results. Our format uses the Common Weakness Enumeration (CWE) as its vulnerability type taxonomy, and also incorporates elements of vulnerability attack surface location and/or path through the source code.

Most Vulnerability Correlation tools do not correlate vulnerabilities automatically. Even if they do, they heavily rely on CWE (Common Weakness Enumeration) IDs for merging.

We at STROBES, realize that this is insufficient as several tools do not assign right CWEs, or CWEs at all. Certain tools rely on vulnerability names, which results in mismatches and duplications. STROBES can do automatic, intelligent merging due to a proprietary technology called the STROBES Risk Language (ORL), wherein the system will automatically recognize different names and values with or without CWEs and merge automatically.

ORL will consolidate vulnerabilities across SCA, SAST and DAST tool results. All the vulnerabilities are automatically correlated without the need for any manual intervention.

STROBES currently supports 20+ popular commercial and open-source static, dynamic and interactive scanning technologies, software composition analysis scanners as well as major application security SaaS providers. The good news is we’re building new tool integrations all the time. If there’s a specific scanning tool or defect tracker that you are looking to integrate with, please let us know.

STROBES supports the following SCA, SAST and DAST tools,

SCA
  1. OWASP Dependency Checker
  2. Snyk
  3. WhiteSource
  4. NpmAudit
SAST
  1. Checkmarx
  2. FindSecBugs
  3. Brakeman
  4. Bandit
  5. AppScan-SAST
  6. NodeJsScan
  7. Xanitizer
  8. HP Fortify
  9. Veracode
  10. GoSec
  11. DAST
  12. ZAP
  13. Burp
  14. Arachni
  15. AppSpider
  16. W3af
  17. AppScan
  18. Acunetix

Strobes primarily uses open-source databases to store and process data. It primarily uses PostGres to manage data. Additionally, Strobes uses MongoDB for its ORL component.

STROBES is currently typically deployed as an on-premise web application. Production installations of STROBES use a PostGRESQL Server database for scalability – contact us for more information.

As a fully containerized platform, STROBES can be deployed in two ways, using Kubernetes and using Docker-compose.

1. STROBES is easy to deploy and orchestrate using Kubernetes. It has the following components:
  1. API Service - Python, Django
  2. ReactJS Front-end Service
  3. PostgreSQL Database
  4. NodeJS API Service
  5. MongoDB
  6. Minio - File Storage and Handling
2. With Docker-Compose, STROBES can be deployed on a single server enabling one-click deployment.

As soon as Strobes is deployed, a dedicated team of experts will walk the user through the list of applications with an in-built documentation to get started. This documentation acts as a complete user manual guide of Strobes. A user can also request for extended onsite or offline support.

Strobes supports following open-source static analysis tools (SAST):
  1. Brakeman
  2. Bandit
  3. NodeJsScan
  4. GoSec
  5. FindSecBugs
In addition, it is possible to integrate with tools apart from the ones mentioned with Strobes JSON.

Production installations of Strobes use PostGRESQL Server databases for scalability.

Although it is recommended, it is not required. Strobes is a containerized platform that resides on an existing web server or a virtual machine. A dedicated server is not required. The user can use whichever configuration works best.

To examine vulnerabilities in the affected line of code within STROBES, the user will have to navigate to the individual vulnerability page. By clicking on the affected instance tab on the vulnerability page, the user will acquire access to the list of vulnerable lines of code. Clicking on the vulnerable code will give further details of the code along with the line number of the vulnerability.

These vulnerabilities are reported based on the details the SAST tools report as part of their findings.

Currently, there is no option to see the latest and old results, it will automatically merge both results and show in the open vulnerabilities section. But in the list of scans, the user can see the scans based on recently uploaded results.

Strobes has two-way sync features with the following Issue Management / Bug-Tracking Tools:
  1. JIRA
  2. Github
  3. VSTS (Azure DevOps)

We believe in providing the user with the freedom to work with any Continuous Integration/Deployment tools, which is why, we have developed Strobes Webhooks. Webhooks allow the user to post results into Strobes using a simple HTTP request and the export file from the tool (XML, JSON, YAML, etc). This ensures that the user can easily push data into Strobes from any source, including Jenkins, Bamboo, Gitlab, etc. With Strobes webhooks, results can be pushed from any CI/CD platform to Strobes. Read more about Strobes Webhooks here.

Supported DAST tools:
  1. ZAP
  2. Burp
  3. Arachni
  4. AppSpider
  5. W3af
  6. AppScan - DAST
  7. Acunetix

Strobes does not store any source as it is a correlation and management platform. It only consumes results from security tools to correlate vulnerabilities without the need to store any data or code.

STROBES is not a scanner. It is a vulnerability management tool. It allows you to manage results from such tools.

We provide the ability to perform LDAP Authentication as an optional add-on to Strobes.

Yes, Strobes allows for a role-based user management and offers authentication via LDAP or Active Directory. Administrators can control which tasks and data specific users can view. An administrator can create different roles and permissions, limiting users’ access to certain teams or specific applications and also limit the types of tasks that can be completed in the system.

Since Strobes does not directly interact with tools, any tool that gives out vulnerability reports in the XML or JSON format can be integrated via a Webhook. If the format of the reports is different from the ones mentioned above, then it can be converted to Orchy JSON and published to Strobes via Webhooks.

Please visit our online documentation to view our getting started guide, and environment setup instructions. We also offer a Strobes Knowledge program through which we can send our consultants onsite to expedite the setup and configuration of Strobes within your organization. At the end of the engagement, you will have a fully functional, production-ready deployment of Strobes. Please contact us for additional details or to obtain a quote.

There are a couple of different ways to stay informed: follow the Strobes blog, follow @wesecureapp on Twitter, or sign up for the Strobes Newsletter at the bottom of the page.

We’ll send you updates to let you know about product updates (new releases/bug fixes and enhancements) and product roadmap details, including planned features and integrations with new tools and technologies.

Obviously, with Strobes we take security very seriously. Any security issues should be reported directly to the Strobes team, and those items will be handled promptly.

To schedule a demo, please contact WESECUREAPP?

Why delay when it comes to security?

GET IN TOUCH WITH US!
Looks good!