What languages does Seeker support?
See the Seeker datasheet for more information about the languages Seeker supports. We’re always working to add new languages, so you can expect new additions on a regular basis.
Do we have to compile the source code using a Seeker tool?
No, Seeker instrumentation does not require you to compile source code using a Seeker tool. It uses runtime instrumentation to perform security testing.
You referred to a “source code plan.” How is that captured?
Seeker acquires source code information from application binaries, which usually include this information by default. So you don’t need to do anything special to your application binaries to instrument or test them with Seeker.
How can the Seeker agent find a vulnerability not in source code?
Can it find vulnerabilities if the source code is compiled at runtime (i.e., if the vulnerability isn’t in readable code)?
Seeker detects vulnerabilities at runtime by monitoring application behavior. It uses an automated verification engine at runtime to verify vulnerabilities. Seeker does not need source code to verify vulnerabilities, so it doesn’t require source code scanning for application security testing.
Does Seeker integrate with any IDEs?
At the moment, Seeker does not have an out-of-the-box integration with any IDEs. But we plan to create IDE plugins for Seeker in the future.
Is Seeker for developers or just for security teams?
We designed Seeker to meet the needs of both developers and security teams.
Security teams can monitor application security test results in Seeker using compliance reports (for standards such as OWASP Top 10, PCI DSS, CWE/SANS Top 25, and GDPR), vulnerability reports aggregated by severity, or the CAPEC (Common Attack Pattern Enumeration and Classification) taxonomy for a comprehensive overview of security posture.
For developers, Seeker provides the full context for vulnerabilities (source code, line number, URL, and runtime parameters), so it’s easy for developers to reproduce and fix vulnerabilities. In addition, Seeker integrates with developer tools (such as Jira, Jenkins, Slack, and email), so it fits well into developer workflows.
Seeker also has an automated verification engine to verify results and minimize false positives. That means developers can focus their efforts on development instead of chasing false positives, and security teams can get a view of an application’s true security posture.
What is a “verified vulnerability”?
A verified vulnerability means that Seeker has performed verification on it, and it is a real vulnerability. During the verification step, Seeker replays requests with tampered input to verify or invalidate vulnerabilities. “Verified” implies “confirmed.”
Can Seeker verify findings from other tools?
My development team has issues with the noise generated from Fortify. Can Seeker validate those findings or at least help filter out some false positives?
Yes, Seeker would certainly help because it has a unique verification engine to verify vulnerabilities automatically in real time. Automated verification minimizes false positives to a near-zero false-positive rate.
Is the integrated eLearning in Seeker video-based or just text?
Our eLearning platform offers a mix of text, audio, and video, with assessments to test the learner’s knowledge and comprehension. The eLearning integration with Seeker provides on-demand access to this immersive and intuitive learning platform, which includes:
- Real-world case studies
- Knowledge checks and assessments
- Interactive exercises
- Technical deep dives
- And more
Can we integrate Seeker with SCA tools from other vendors?
For example, can Seeker integrate with Sonatype Nexus Lifecycle (IQ Server) instead of Black Duck?
Seeker is already integrated with the best-of-breed Black Duck Binary Analysis engine to identify vulnerabilities in open source and third-party components. And we provide comprehensive APIs to import Seeker results (including SCA) into any tool of your choice. Seeker does not offer out-of-the-box integration with any SCA tools other than Black Duck Binary Analysis.