Each month, we release new features, improvements, and fixes across the Panaseer platform. Here’s a summary of what’s new in this month’s release.

New features

A more focused view of your business landscape

We have introduced a new Business Application inventory, enabling you to track and monitor your business applications as a distinct entity type within the platform.

Business applications from connected systems such as ServiceNow are ingested and surfaced in a dedicated inventory view with key identifiers and attributes sourced from your connected data, and in applicable analysis and metrics including the Business Application Lens, allowing the filtering of any device metrics by Business Application.

The Business Application inventory is intended to supersede the Application inventory, providing a more focused, less generic data model that gives you a consistent view of your business application landscape.

Track code as entities with the Code Asset inventory

We have introduced a new Code Asset inventory, enabling you to track code repositories and codebases as a distinct entity type within Panaseer.

Code repositories from supported scanning tools, such as Veracode, are ingested and surfaced in a dedicated inventory view. Where data is available, code assets are linked to related business applications and people.

This supports application security workflows, including Static Application Security Testing (SAST), by separating code assets from business applications and application service instances to allow for asset-appropriate analysis.

SAST coverage and performance monitoring

We have introduced Static Application Security Testing (SAST) in the Application Security cyber control domain (CCD), providing out-of-the-box metrics and dashboards for tracking code security findings from SAST scanning tools.

Example SAST metrics

SAST detections and findings from connected scanning tools are ingested, linked to the relevant assets in the new Code Asset Inventory, checked for predefined SLA compliance and surfaced in metrics making it straightforward to report on SAST coverage and performance.

These new SAST metrics are the first step in refocusing the Application Security CCD, containing the same metrics and analytics while at the same time paving the way to supporting analytics for additional scan types such as DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis), and more.

The new SAST metrics require the Code Asset inventory. Refer to Track code as entities with the Code Asset inventory for more information.

Feature enhancements

Improved application vulnerability reporting 

We have added a new metric, Applications with Vulnerability Detections, to the Application Security Analytics Pack (an equivalent metric also exists in the new SAST Analytics Pack). This metric is based on the total count of application vulnerability detections across all statuses, including Open, Accepted, Past Due, and Closed.  

An example vulnerability metric

This new metric complements the existing Applications with Open Vulnerability Detections metric, which is based only on Open detections. You can now see your full application vulnerability exposure in one place, making it easier to track detections that are under review, accepted as risk, or past their remediation deadline.

Improved Compound Risk coverage

We added a new compound risk measure, Applications hosted on devices with vulnerabilities whose owner has received a phishing test, to the platform.

An example compound risk metric

This measure counts the number of distinct applications hosted on devices that have known vulnerabilities, where the device owner has also received a phishing test. It surfaces the intersection of three risk signals in a single count: application exposure, device vulnerability, and user susceptibility. You can filter by application criticality, device type, vendor, or business unit to focus on the most exposed assets.

Previously, the equivalent compound risk signal was only available from a device perspective. This measure provides the same visibility from an application perspective, making it easier to identify which of your business applications face the highest combined exposure and to prioritize remediation accordingly.

This measure requires the Vulnerability Management CCD, Application Security CCD, Device inventory, and phishing event data.