Why use Azul Vulnerability Detection vs. traditional Application Security (AppSec) tools?

Azul re commends using AVD in conjunction with existing AppSec tools to reduce the security workload for Java applications by eliminating the need to investigate and remediate vulnerabil ities that are present in the code base but never used .

How do I access Azul Vulnerability Detection?

AVD is available via a web GUI or a REST API. In either case, you can retrieve results that show which components are in use, which are vulnerable, and when they were used or present. This information can be easily integrated into other systems and dashboards, such as AppSec Posture Management (ASPM) solutions

What granularity does Azul Vulnerability Detection provide when detecting vulnerabilities?

Where AppSec tools typically find vulnerabilities at the Java library/JAR level in non-production code, AVD detects vulnerabilities at the Java Class level in production data – all without impacting application performance .

How is Azul Vulnerability Detection priced and packaged?

AVD is a feature of Azul Intelligence Cloud, which collects Java code data from your JVMs and makes it available to A VD. As such, pricing is based on number of JVMs.

Vulnerability Detection

Eliminate up to 99% of false positives to boost DevOps productivity

Traditional AppSec and APM tools overwhelm DevOps teams with irrelevant security alerts that cripple prioritization and drain productivity. Azul Vulnerability Detection uses production Java runtime data to identify vulnerabilities at the Java Class level that are actually used, not just present in the codebase, eliminating false positives.

Unparalleled Java Vulnerability Detection

Continually process new JVM runtime data and compare it against a custom, curated database of known Java-specific vulnerabilities that is continuously updated. Fingerprinted components based on hashes of code repos enable detection of vulnerabilities in shaded jars, fat jars and slim jars that other tools using component/version pairs do not detect.

Runs in Production

Continually assesses both custom and commercial applications for exposure to vulnerabilities in production without the need for source code. Compares code run to Java-specific CVE (Common Vulnerabilities and Exposures) database in the cloud.

Eliminates False Positives

Focuses scarce human remediation effort where vulnerable code is used vs simply present. Eliminates false positives by monitoring code executed by the Java runtime (JVM) at the Java class level, generating far more accurate results than traditional tools.

No Performance Penalty

Highly efficient collection of runtime data eliminates the performance penalty commonly seen with other application security tools.

Detection for All Java Apps

Checks all of an enterprise’s Java-based software – whether they built it, bought it, or are introducing a regression with a recent change – including frameworks such as Spring, Hibernate, Tomcat, Quarkus, Micronaut, Kafka, Cassandra, Elasticsearch, Spark, Hive, Hadoop, and more.

Historical Traceability for Focused Forensics

Retains detection history, helping enterprises focus forensic efforts to determine if vulnerable code was actually exploited prior to it being known as vulnerable.