Bellanaleck.co

• ← Back

Faster Security

Push security priorities up the stack and empower developers to fix vulnerabilities in real time as they build. You already have developers creating your applications. Why shouldn't they also be able to secure it? Our easy integrations and simple setup help you start scanning in just 5 minutes!

Seamless Integration

Whether integrating our API into a continuous integration process or viewing vulnerability data on our website, you’ll find no hangups and no jargon because our mission is to simplify the vulnerability reporting and fixing process. We’ll give you how-to-fix instructions, complete with code snippets tailored to the language you wrote your application in. Integrations allow us to fit right into the developer’s workflow, so we never break them out of the builder’s mindset.

Digestible Data

Security doesn't have to be difficult. We provide your team with clean technical information so they can easily find each vulnerability and fix them quickly. You don’t have to run analytics to understand our results. You can also replay attacks and rescan vulnerabilities with a single click. Immediate feedback will show you how a vulnerability affects your site and if you’ve fixed it!

• ← Back

Fast Blackbox Analysis

We ingest API documentation to build a map of all the endpoints on the API and their parameters, including constraints. We fuzz all of the parameters with values generated by analyzing the constraints and validations specified. We can bypass server-side input validation and scan core business logic, and we can find authorization and authentication bypasses by fuzzing authentication workflows defined by the user. All of this in less than a minute, on average; we spend our time testing the parts of the API most likely to be vulnerable.

Intelligent Payloads

Payloads are generated based off of the constraints defined in the documentation you provide. Because we can see the parameter definitions, we know, for example, if the input needs to be a string between 5 and 12 characters long, or if it needs to be of a specific format. Using this knowledge, we will automatically generate boundary tests which stress the application's ability to behave to specification. As a result, our payloads are mostly correct, but malicious in some way; we do not fuzz using random garbage, making our scanning efficient, intelligent, and incredibly effective.

Login Authenticators

API authentication is complicated, including method as diverse OAuth 2, JWT, and your run-of-the-mill authorization headers. A full authentication process for an API typically combines and layers multiple of these authentication methods on top of one another. Bellanaleck Security allows you to specify these authenticators as building blocks, each performing one piece of an authentication workflow. We give you tools to expressively define workflows, which gives us a better understanding of the authentication and where it might be failing. This allows us to uniquely check for authentication edge-cases, including authorization bypass in ways that no other scanners can.

Proper Javascript Scanning

We believe every application needs to be vetted in the manner in which it is built. As new technologies involve, so does our scanner. We run your application through a headless browser to intercept and analyze Javascript and AJAX requests, even as newly created forms are populated. Though Javascript scanning takes longer, we obtain more thorough results than the competition.

Scan any Environment

Whether you’re running in the cloud or an air-gapped system, we can run with you. We offer both SaaS and on-premise solutions (and everything between!). Our goal is to ensure a comfortable level of security for you and your data. Each appliance we set up is fully-managed, updated, and secured as frequently as our self-hosted SaaS.

Results for Developers

Whether integrating our API into a system or viewing vulnerability data on our website, you’ll find no hangups, and no jargon, because our mission is to simplify the vulnerability reporting and remediation process. We’ll give you how-to-fix instructions, complete with code snippets, tailored to the language you wrote your application in. Any engineer can effortlessly find and fix the root cause of a vulnerability, regardless of their prior security experience.

Use a scanner built for new enterprise

Our enterprise offerings include access to a multitude of tools that help integrate security into your DevOps process. If you have internal applications not exposed to the internet, we can scan those too, either via our secure reverse tunnel or a fully-managed, internal, virtual appliance.

Our DevOps integrations include an easy-to-use API that hooks our scanner into your current security or continuous integration (CI) systems, and also a first-party plugin for Jenkins. With tailored results and seamless integrations with JIRA (or other issue trackers), developers are empowered to fix vulnerabilities before they hit the public.

Dig deeper into your applications

We’ll scan each time a new version of your site is deployed. We can also log into any website, including SAML / Single Sign-On authenticated sites. Our patent-pending Login Recorder (available as a simple Chrome extension) allows you to teach the Security scanner how to authenticate into your site by recording your login sequence. Our team of extraordinary engineers is also able to create very specific vulnerability modules for known risks that may impact only your industry. Please contact us if you’re interested in learning more. We've done crazy, custom schemes too, just ask us!

Find more vulnerabilities with fewer false positives

Our dynamic heuristic testing allows us to find more web application vulnerabilities than anyone else -- with fewer false positives! To date, we have found more than two million vulnerabilities on our customer’s sites, with fewer than 0.5% false positives. We regularly incorporate new tests and always score higher than any other scanner on industry standard benchmarks.