Seeker
Interactive Application Security Testing
Easy-to-use enterprise- Overview
scale IAST that Seeker® Interactive Analysis, our interactive application security testing (IAST) solution,
accurately identifies and gives you unparalleled visibility into your web app security posture and identifies
verifies vulnerabilities vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS,
GDPR, CAPEC, and CWE/SANS Top 25). Seeker enables security teams to identify and
track sensitive data to ensure that it is handled securely and not stored in log files or
databases with weak or no encryption. Seeker’s seamless integration into DevOps CI/
CD workflows enables continuous application security testing and verification.
Unlike other IAST solutions, which only identify security vulnerabilities, Seeker can also
determine whether a security vulnerability (e.g., XSS or SQL injection) can be exploited,
thus providing developers with a risk-prioritized list of verified vulnerabilities to fix in
their code immediately. Using patented methods, Seeker quickly processes hundreds
of thousands of HTTP(S) requests, identifies vulnerabilities, and reduces false
positives to near zero. This enables security teams to focus on actual verified security
vulnerabilities first, greatly improving productivity and reducing business risk. It’s like
having a team of automated pen testers assessing your web applications 24/7.
Seeker applies code instrumentation techniques (agents) inside running applications
and can scale to address large enterprise security requirements. It provides accurate
results out of the box and doesn’t require extensive, lengthy configuration. With Seeker,
Comprehensive dashboard view of top your developers don’t have to be security experts, because Seeker provides detailed
security vulnerabilities from application vulnerability descriptions, actionable remediation advice, and stack trace information,
to components and APIs involved. and it identifies vulnerable lines of code.
Seeker continuously monitors any type of testing applied to web apps and seamlessly
integrates with automated CI build servers and test tools. Seeker leverages these
tests (e.g., manual QA of login pages or automated functional tests) to automatically
generate multiple security tests.
Seeker also includes Black Duck® Binary Analysis, our software composition analysis
(SCA) solution, which identifies third-party and open source components, known
vulnerabilities, license types, and other potential risk issues. Seeker and Black Duck
analysis results are presented in a unified view and can be sent automatically to bug-
tracking and collaboration systems of choice, so developers can triage them as part of
their normal workflow.
Instant visualization with detailed test
coverage and data flow tracking. It Seeker is ideal for microservices-based app development as it can bind together
displays the architecture of the system multiple microservices from a single app for assessment.
under test, including data flowing into
Seeker analyzes the flow of data between microservices to analyze the system as a
the app from various sources, data
whole, not just as a set of unrelated applications. Data flows are tracked over HTTP(S),
flowing between different components
gRPC, shared databases, and more.
of the system, and outgoing calls to
third-party APIs and web services.
blackduck.com | 1
�Continuous quick,
Only enterprise-scale IAST solution with active
actionable results in real verification
time Seeker’s unique active verification feature allows it to process hundreds of thousands
of HTTP(S) requests and quickly eliminate false positives from identified vulnerabilities,
Comprehensive analysis results
helping to ensure near-zero false positives. For enhanced test coverage, Seeker’s parameter
contain all the information
identification feature detects unused parameters and retests them using malicious values,
necessary to address vulnerabilities:
thus exploring more potential application attack surfaces, hidden parameters, and back
• A clear explanation of the risk doors.
• Runtime memory values and
Benefits:
context
• A technical description • Both security and development teams see greatly improved productivity.
• The vulnerable lines of code • Lower overall costs / fewer resources are required for dynamic application security
testing (DAST) or manual pen testing.
• Relevant, context-based
remediation instructions
Multiple detailed panes show
the dataflow and the impact of
malicious inserted parameters (e.g.,
dynamic SQL concatenation). The
results also show whether identified
vulnerabilities have been auto-
verified as exploitable or eliminated
as false positives.
Seeker also integrates Black Duck
Binary Analysis and SCA, which
sends application binaries for
composition analysis and uploads
the results to the Seeker dashboard.
Easy to deploy and use
Seeker uses instrumentation techniques and runtime analysis to continuously monitor,
identify, and verify security vulnerabilities in web applications, typically during integration
testing and QA, right up to the production deployment stage of the software development
life cycle (SDLC). Applications can be on-premises, microservices-based, serverless
functions or cloud-based. Seeker supports modern app development methodologies and
technologies. Simply deploy agents at each tier or node of an application that runs code
(Docker containers, virtual machines, cloud instances, etc.), and they’ll track every action
performed on the running app. Analysis results are available in real time, without the need
for any special scans.
Not only does Seeker analyze code line by line, correlating dataflow and runtime code
execution in real time: it also examines the interaction of the code with your sensitive
data microservices, and API calls across the application tiers and components. This
technology identifies vulnerabilities that pose a real threat to critical data, including complex
vulnerabilities and logical flaws no other technology can detect.
Seeker’s integration with eLearning and Secure Code Warrior provides contextual help and
training for developers and DevOps teams. It allows them to gain in-depth understanding of
vulnerabilities and remediate them easily and in real time.
blackduck.com | 2
�Get started with Seeker
Detailed test coverage with API discovery, tracking,
right away and data flow map of your app and microservices
• Fits seamlessly into CI/CD Automated URL mapping, API discovery, and endpoints tracking provides a comprehensive
workflows. Native integrations view of the extent of test coverage of a web app. Seeker graphically shows what has already
and web APIs provide seamless been tested and what has not been tested, as well as provides visual data flow mapping
integration with the tools you that aids in effective taint analysis. You can easily compare coverage differences between
use for on-premises, cloud- different versions of the same app.
based, microservices-based, and
container-based development. Active verification automatically generates sequences of requests to boost coverage for
OpenAPI/Swagger and Graph-QL based applications.
• Deploys quickly and easily.
Seeker provides real-time analysis
with near-zero false positives, out Sensitive-data and secrets tracking
of the box.
Seeker’s unique ability to track sensitive data and secrets is an industry first. Users can
– Accurate out of the box with mark data as sensitive (e.g., credit card numbers, tokens, and passwords) so that this
no extensive configuration or data can be tracked whenever it is stored unencrypted in a log, database, or file. Tracking
tuning
sensitive data can help you achieve compliance with the sections of PCI DSS that require
– No need for website login data encryption compliance, as well as other industry standards and regulations such
credentials or special scans as GDPR. This enables substantial gains in productivity and time savings over manual
– Active verification takes into inspection, as well as savings in costs and resources.
account input validation
libraries and custom functions
to sanitize inputs (e.g., SQL
Highest OWASP benchmark score
injection vulnerabilities)
– Scalable in large enterprise
environments
• Works with virtually any type
of test method. Seeker’s
100% Seeker Score
nonobtrusive passive monitoring
option allows it to work with
existing test automation, manual
or functional tests, automated
web crawlers, and more.
blackduck.com | 3
�Seeker | Technical Specification
Supported languages – SharePoint Technologies
• ASP.NET – Spring.NET • Databases
• C# – Telerik – NoSQL DB
• Clojure – Unity – Cassandra
• ColdFusion • GO – Couchbase
• Go – Chi – DynamoDB
• Gosu – Echo – HBase
• Groovy – Gin – MongoDB
• Java – Net/http • Relational/SQL
• JavaScript (Node.js) • Java/JVM – DB2
• Kotlin – Enterprise JavaBeans (EJB) – HSQLDB
• PHP – Grails – MS SQL
• Python – GWT – MySQL
• Scala (incl. Lift) – Hibernate – PostgreSQL
• VB.NET – Ktor – SQLite
– Micronaut – Oracle
Supported platforms – OWASP ESAPI • Application types
• Java – Play – Ajax
– Any Java EE server – Ring – JSON
– GlassFish – Seam – Microservices
– Red Hat JBoss Enterprise – Spring/Spring Boot – Mobile (over HTTP/S)
Application Platform – Struts – RESTful
– Red Hat JBoss Web Server – Vaadin – Single-page applications
– Tomcat – Velocity – Web (incl. HTML5)
– WebLogic – Vert.x – Web APIs
– WebSphere • Java Runtime: – Web services
• .NET Framework – AdoptOpenJDK • Interprocess communications
– IIS – Amazon Corretto – HTTP(S)
– WCF – Eclipse OpenJ9 – gRPC
– OWIN – IBM – Kafka
– SharePoint – Oracle HotSpot – Apache Dubbo
• .NET Core – OpenJDK – RabbitMQ
• Node.js – Red Hat OpenJDK – JMS
• PHP • Node.js – Database tables
– Express
Runtime/frameworks – Fastify Cloud platforms
• .NET/CLR – Hapi • Azure PaaS/Azure Function
– ASP.NET MVC – Koa • AWS
– Enterprise Library • PHP • AWS Lambda
– Entity Framework – Laravel • Google Cloud
– NHibernate – Symfony • Tanzu (PCF)
– Ninject • Python
– NVelocity – Django
– OWASP ESAPI – Flask
About Black Duck
Black Duck® offers the most comprehensive, powerful, and trusted portfolio of application security solutions in the industry. We have
an unmatched track record of helping organizations around the world secure their software quickly, integrate security efficiently in their
development environments, and safely innovate with new technologies. As the recognized leaders, experts, and innovators in software
security, Black Duck has everything you need to build trust in your software. Learn more at www.blackduck.com .
©2024 Black Duck Software, Inc. All rights reserved. Black Duck is a trademark of Black Duck Software, Inc. in the United States and other countries. All other names mentioned
herein are trademarks or registered trademarks of their respective owners. August 2024
blackduck.com | 4
