Find, prioritize, and visualize software vulnerabilities, fast and affordably

KEY BENEFITSEnhanced Vulnerability Coveragen Discovery of more weaknesses

than any single analysis tooln Higherconfidenceindetecting

weaknesses with multiple tools

Efficient and Prioritized Remediationn Rapidtriageoffalsepositives n Improvedassessmentofseverity andcriticalityn Sourcecodelinkedtovulnerabilities

Enhanced Collaborationn Securityanddevelopmentteamsnow haveasharedtooltocommunicate findingsanddiscussremediation

SDLC Tool Supportn Supportforintegrateddevelopment

environments (IDEs), continuous integrationenvironments,andversion control systems

Visualization and Interactionn Moreunderstandabledataformatn Focus on the most important weaknesses determinedbytheuser

Easy to Get Startedn Fastandeasyinstallation–upandrunning

in 10 minutesn Automaticallyrunsbundledopensource

SAST toolsn Affordablypricedforsmall-to-medium sizedbusinesses

Who uses Code Dx?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analystsn ComplianceAuditorsn Accreditorsn CISOs

Usesn Securesoftwaredevelopmentn Security & Quality Assurance reviewsn Verification&Accreditationsupportn Expeditedcompliancereviewsn Codeauditsn Pre-procurementsoftwareevaluations

CodeDxisasoftwarevulnerabilitymanagementsystemthatbringstogetheravarietyofcodeanalysistoolsthatenableyoutolocateandfixpotentialvulnerabilitiesinthecodeyouwrite,inthelanguagesyouuse,andatalowcost.

THE PROBLEMOver90%ofcomputersecurityincidentsareduetoweaknessesinsoftware.TheseweaknessescanexposevulnerabilitiesthatputyourbusinessatriskforattackssuchasSQLinjectionandcross-sitescripting,leadingtodataloss,corruption,orevenahosttakeover.Staticcodeanalysistoolscanhelpyoufindtheseweaknesses.However,commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderablehumanresourcestoconfigureandrun.Regardlessofwhetheryouarerunningacommercialoropensourcecodeanalysistool,nosingletoolprovidessufficientcodecoverage.Youhavetorunmultipletools,andtediouslycorrelatetheresults.

THE SOLUTIONCodeDxrunsasuiteofpreconfigured,fullyintegrated,multi-language,opensourcestaticcodeanalysistoolsagainstyourcodebase.Itcanalsoincorporatetheresultsofcommercialtoolsandmanualanalysis,andautomaticallycorrelatealltheweaknessesintoasingleconsolidatedset,viewablefromasingleuserinterface—withreportspresentedinaneasytounderstandvisualdisplay.

FACT SHEET

FEATURE COMPARISON (SE) (EE)Operating system supportWindows(7,8,andServer2008+) 4 4

MacOSX10.8+ 4 4

Linux(Ubuntu,Fedora,Debian, 4 4 RHEL,andCentOS)

Language supportC/C++ 4 4

Java 4 4

Javascript 4 4

JSP 4 4

.NET(C#,VisualBasic) 4 4

Python 4 4

Ruby 4 4

Free & open source SAST tool supportBrakeman 4 4

CAT.NET 4 4

CheckStyle 4 4

Clang 4

CppCheck 4 4

ErrorProne 4

FindBugs 4 4

FxCop 4 4

Gendarme 4 4

Jlint 4

JSHint 4 4

OCLint 4

PMD 4 4

Pylint 4 4

3rd party software library checkersOWASPDependency-Check 4 4

Retire.js 4 4

Commercial tool supportArmorizeCodeSecure 4

Checkmarx 4

Coverity 4

GrammaTechCodeSonar 4

HP Fortify 4

IBMAppScan 4

Parasoft 4

Veracode 4

IDE supportMSVisualStudio 4 4

Eclipse 4 4

Continuous integration supportJenkins 4 4

REST API 4 4

Version control system supportGit 4 4

6BayviewAvenue,Northport,NY11768•codedx.com(631)759-3993•info@codedx.com

Code Dx Standard Edition (SE)TheStandardEditiongivesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.JustloadyoursourcecodeintoCodeDxanditwillautomaticallyselecttheappropriatetoolsforfindingweaknesses.

Code Dx Enterprise Edition (EE)TheEnterpriseEditionprovidesallofthepowerfulfeaturesoftheStandardEdition–anditexpandsyourcoveragebyworkingseamlesslywithcommercialtestingtools.Atthesametime,itallowsforfindingstobeaddedmanually.Thecorrelationandnormalizationofresultsfrommultipletoolsproduceaconsolidatedsetofresults,withgreatercoverageofpotentialvulnerabilitiesandabetterassessmentofyouroverallsoftwaresecurityrisk.

KEY FEATURESn Automaticallyconfiguresandrunsmanybundledstaticsource codeanalysistools

n Checks3rdpartysoftwarecomponentlibrariesforknownvulnerabilitiesn Containsover1,500configurablesecurity/qualityrulescoveringmultiple

programming languages n Combinesandnormalizesoutputofmultipletoolsintoasingle consolidatedsetofresultsonacommonseverityscale

n Browser-baseduserinterfaceusedtoassign,collaborate,andtrack weaknessremediation

n Maps results to the Common Weakness Enumeration (CWE)n Linkscorrelatedweaknessestosourcecoden Visualanalyticsfortriageandprioritizationofsoftwareweaknessesn Robustdatafilteringsupportsdetaileddrill-downandorganization

of weaknessesn GeneratesCSV,XMLandPDFassessmentreportsn RESTAPIenablesintegrationwithautomatedbuildserversn Plug-insprovidesupportforpopularIntegratedDevelopmentEnvironmentsn Integratestheresultsfrommultiplecommercialstaticsourcecode

analysis tools (EE only)n Enablesmanualentryofindependentlyidentifiedweaknesses(EEonly)

SpecificationsCodeDxisabrowser-basedapplicationthatyouinstalllocally.TheapplicationrunsonWindows,LinuxandMacplatforms,andallmodernbrowsersaresupported.

About Code DxCodeDxgrewoutofresearchfundedbytheDepartmentofHomelandSecurityScience&TechnologyDirectorate.DHSiscommittedtoimproving thesecurityofthenation’sinformationinfrastructure.

CodeDxisproudtobeacomponentoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuous softwareassurance.