April 02, 2015
We just released version 2.2 of Lucent Sky AVM, and are excited to tell you about some of the key updates, including parameterized mitigation for SQL injections and updates of the web UI.
We’ve expanded the scenarios where parameterized queries will be used to mitigate SQL injections. Unlike input validation and escaping, parameterized queries don’t rely on blacklists nor whitelists; instead, placeholders are used for parameters and the parameter values are supplied at execution time. Because there’s no “list”, parameterized queries cannot be bypassed. However, the design and architecture of some database access mechanisms are incompatible with parameterized queries. Input validation and escaping are used to mitigate vulnerabilities found in these instances. With the updated mitigation algorithms, more varieties of SQL injections will be mitigated with parameterized queries. We’ve also changed the behavior of how parameterized mitigation works with custom mitigations. In the past, if parameterized query can be applied to a SQL injection, custom mitigation settings will be ignored. Starting with version 2.2, custom mitigation settings will be used for all SQL injections.
We updated Lucent Sky AVM’s web UI to let users better filter results. Now if you want to see the results of cross-site scripting in just your last two scans, we can isolate and help you visualize the results. This will make AVM results easier to navigate and share with others.
This is really exciting for people who have been using AVM on the same application over a period of time. We can now show you the cumulative results of all the scans - the decreasing number of vulnerabilities and the total time and money saved, based on your actual application data. Now rather than approximating the impact of Lucent Sky AVM, we can show you using your own data.
Lucent Sky AVM 2.2 has already been updated for users of cloud-based Lucent Sky AVM. For more information about making the most of each of the new features, we’ll be releasing additional blogs with more detailed instructions and guides. Stay tuned!