Skip to main content
Version: 1.2.1

General Information

The "TRON.ASOC" platform provides comprehensive control over the information security of developed projects, ensuring reliable protection at all stages of development:

  • Integrates with external security scanners such as the static code analysis tool PT Application Inspector and container security analyzer Kaspersky Container Security.
  • Integrates with the static application code analyzer Solar AppScreener (for both source and binary code) to detect vulnerabilities and zero-day vulnerabilities.
  • Interacts with software composition analysis solutions CodeScoring and OWASP Dependency Track.
  • Integrates with the JFrog platform designed for managing and deploying software packages.
  • Can receive and analyze reports, process results from the following tools:
    • Trivy - open-source vulnerability scanner designed for containerized environments,
    • Grype - efficient scanner for containers, Docker images, and file systems to detect vulnerabilities,
    • KICS (Keeping Infrastructure as Code Secure) - open-source tool from Checkmarx designed for analyzing Infrastructure as Code (IaC) security,
    • Semgrep - static application security scanner,
    • Aqua - solution providing comprehensive native container protection.
  • Allows manual addition of vulnerabilities (Manual) for building comprehensive metrics.
  • Provides the ability to manage source code and container image scans for known vulnerabilities, configuration errors, secrets, and work with the results of these scans in a unified interface. Integration with tools allows configuring scans, launching checks, consolidating, analyzing, and processing results, as well as monitoring the security status of developed products.
  • Helps group, investigate, and remediate vulnerabilities from various sources, thereby ensuring a secure development process.
  • Simplifies working with found issues and vulnerabilities by analyzing and grouping them for more effective security management.
  • Allows assessing the impact of vulnerabilities, changing their statuses, prioritizing for subsequent steps, and managing exceptions. Thus, the product enables managing software vulnerabilities and application protection at all stages of development.
  • Allows leaving comments on vulnerabilities and viewing comments from other users.
  • Enables creating and configuring software quality gates for each security pipeline, providing a way to organize quality criteria for each scan. Based on quality control criteria, the system determines whether the security check pipeline completed successfully and allows deciding if the product can move to the next development or release stage based on set quality criteria.
  • Provides the ability to make exceptions for results obtained from scanners in ASOC, preventing already processed and accepted security issues from being highlighted. The duration and scope of exception rules can be configured.
  • Serves as a single source of vulnerability data from tools with different types of checks (SAST, Container Security, OSA/SCA, DAST) and thus can become a unified software quality control tool.
  • Offers the use of dashboards, reports, and metrics within the product, which provide flexible reporting forms and analytical data for assessing the current security status of projects, forecasting risks, and making decisions. Through data visualization, the platform provides users with clear information about the security status of their projects.
  • Embeds security and risk management into continuous development processes without requiring external CI pipelines for operation.
  • Offers a convenient user interface accessible in modern Chromium-based browsers (Google Chrome, Yandex Browser, Edge, Safari, etc.) and Firefox.
  • Supports creating a flexible role model, allowing configuration of different access levels and permissions for users, contributing to more efficient and secure project management.
  • Supports integration with LDAP and AD.
  • Provides capabilities for managing scans, including configuring scan parameters, scheduling runs, and monitoring scan execution.
  • Allows exporting scan results reports in various formats, ensuring convenient integration with other systems and data analysis tools.