A software assurance analytics tool that visualizes and correlates vulnerabilities detected by disparate code

analysis tools. With Code Dx you can rapidly triage and focus on the software vulnerabilities that are most

important to your organization.

More than 90% of computer security incidents can be traced back to weaknesses in software that were inadvertently put there when the code was developed. Attackers can find and exploit such weaknesses in your applications. Before you release another application, you need to assess whether its code weakness-es can jeopardize your business. Static application security testing (SAST) tools find those exploitable weaknesses, so they can’t become vulnerabilities, and Code Dx makes those tools more effective.

“[Code Dx] has a unique and helpful view of the analysis of the tool output. I like the information provided at the top that allows me to select which tool to use, codebase location, CWE findings, severity, overlap-ping location count, and status of all of the weaknesses. The Weakness Flow diagram shows a helpful view of where the weak-nesses came from, which tool was able to detect them, and the severity of the weakness.”

“...provides a nice way to document progress on a report. Each weakness has an activity stream, where comments and status changes can be saved.”

Code Dx Standard EditionCommercial SAST tools are costly; open source tools, while “free”, can be complex and hard to use, and even harder to integrate into a single security picture. If you don’t have the budget for commercial tools or the time to invest in open source, then Code Dx Standard Edition is for you: a pre-configured collection of open source SAST tools that run fully integrated within Code Dx, presenting a single unified picture of your software’s weaknesses.

Incomplete coverage On average, a single SAST tool finds fewer than 15% of weaknesses in an application; you need several tools to find more high-severity vulnerabilities, just like the attackers do.

Broader coverage of weaknesses, correlating results of multiple SAST tools into a single set. See more vulnerabilities, and quickly find the most important ones.

Difficult to compare Each tool produces results with a unique format and severity scale; it’s hard to compare results from multiple tools.

Consolidated and normalized result set removes overlaps, and puts them on a common severity scale. Visualize, analyze and filter the combined set from a single

Too many vulnerabilities Today’s tools report tens of thousands of weaknesses, with many false positives; analysts and developers are overwhelmed with the task of prioritization.

Prioritization and focus speeds triage of voluminous results, assignment of highest priority ones for remediation, and helps identify and disseminate false positives so they don’t re-appear.

Barriers to collaboration Analysts send reports of static analyses to developers without the code context, details, and prioritization that those developers need for effective remediation.

Shared interface with custom details needed by different types of users; Devel-opers view code in context of its hierarchy and dependencies; Security Analysts view categories, trends, and priorities.

Code Dx SolutionChallenge

Quickly and effectivelytriage large weakness lists

Visualize thousands of weaknesses in a single view

Interactive,powerful filtering

Difficult to communicate SAST tool results are technical and complex; their meaning and relevance are difficult to abstract for use by your CISO or CIO to make decisions.

Relevant reports include advanced re- porting features and visualizations. Our 2014 release will map the static tool results to regulatory compliance and industry standards.

Workflows tailored to each type of user

6 Bayview AvenueNorthport, NY 11768

info@codedx.com(631) 759-3993

Secure Decisions performs cyber security research and develops software products for government and commercial customers

CODEDX.COMCODEDX.COM

6 Bayview AvenueNorthport, NY 11768

info@codedx.com(631) 759-3993

Secure Decisions performs cyber security research and develops software products for government and commercial customers

CODEDX.COMCODEDX.COM

UsesCode AuditsVerification / AccreditationComplianceSoftware DevelopmentQuality Assurance

Code Dx can help answer:

ü Which weaknesses are noise, and which are most important?

ü What weakness categories are most common, or most severe?

ü What weaknesses have been found by multiple tools, thus indicating higher confidence?

ü Where in the source code were the weaknesses found?

ü Which weaknesses are new since the last analysis?

Key BenefitsFind More Important Vulnerabilities à More weaknesses detected than from the use of a single tool à Higher confidence in detections of weaknesses

Prioritized and Focused Remediation à Rapid triage of false positives à Improved assessment of severity and criticality à Removal of overlapping results

Visualization and Interaction à More understandable format for data à Focus on most-important weaknesses

Collaboration à Security and development teams have a shared tool to communicate findings and discuss remediation

Easy to Get Started à Automatically runs open source SAST tools; priced for small to medium-sized businesses

Key FeaturesCorrelates and integrates the results from disparate software analysis tools

“Big Picture” overview of all identified vulnerabilities spotlights critical areas and supports detail drill-down

Interactive visual data filtering

Provides code context for effective triage and remediation

Links source code to suspected vulnerabilities

UsersApplication Security AuditorsApplication Security AnalystsSoftware DevelopersQuality Assurance AnalystsAccreditorsCompliance OfficersSoftware ManagersConfiguration Managers

Development and QA teams can quickly identify the most important weaknesses before code is shipped.

Auditors, accreditors, and compliance officers can more-efficiently and effectively comply with regulations by identifying software that has vulnerabilities.

Software managers and CISOs can see individual or team status in code security and quality.

About Code DxCode Dx is being developed under DHS Phase II SBIR contract D11PC20010; SBIR Data Rights apply (DFARS 252.227-7018, June 1995)

Code Dx is integrated with the Software Assurance Marketplace (SWAMP), a collaborative marketplace for continuous software assurance, sponsored by DHS S&T and led by the Morgridge Institute for Research

SpecificationsCode Dx is a browser-based application that you install locally. The server runs on both Windows and Linux, and all modern browser clients are supported.

“Poorly written software is at the root of all of our security problems.”– Department of Homeland Security

“No tool stands out as an über-tool.“Each has its strengths and weaknesses.”

– Technical Director,Center for Assured Software, NSA

Code Dx Enterprise EditionEven if you can afford a commercial SAST tool, they are not the only answer. As good as they may be, no one tool is a silver bullet: you need to supplement those findings with other tools, whether commercial or open source, to increase coverage and confidence. For you, Code Dx Enterprise Edition is the answer: it takes in the results from your commercial tools, consolidates them with those of any open source tools you may add to the mix for better coverage, and normalizes it all to give you a single unified security picture, with the same Code Dx visual analytics interface. We even include the integrated open source SAST tools from the Standard Edition. Call us to learn more.