Find, prioritize, and manage source€¦ · 2017-02-07 · Easy static source code security and...
Transcript of Find, prioritize, and manage source€¦ · 2017-02-07 · Easy static source code security and...
Easy static source code security and quality analysis, from
Find, prioritize, and manage source code flaws and vulnerabilities, quickly and affordably
KEY BENEFITSWe do the hard work for youn Automaticallyinstalls,configures,andrunsavarietyofopensourcetools
n Supportsmanyprogramminglanguages,andchoosestherighttoolforeachlanguage
n Combinesdiversetoolresultsintoasingle,coherentreport
n Determinesvulnerabilitystatusofthethird-partylibrariesthatyouuse
Analysis tools help you focusn Identifiesthemost-criticalvulnerabilitiesbasedonindustrystandards
n Visualanalyticshelpyourapidlytriageandprioritizesoftwareflawsandvulnerabilities
n De-duplicatesresults,soyoudon’twastetimeanalyzingthingstwice
Increases efficiency of your remediationn Takesyoudirectlytospecificlinesofcodewherevulnerabilitiesexist,andidentifiesneighboringflawsandvulnerabilities
n Providesseamlessinterfacetoassignvulnerabilitiesforremediation
n Tracksremediationprogress
Enhances collaboration among your teamsn Securityanddevelopmentteamshaveasharedtooltocommunicatefindingsanddiscussremediation
Works within your development processn Developerscanviewandmanagevulner-abilitiesdirectlyfromwithintheirintegrateddevelopmentenvironments(IDEs)
n Fitsintocontinuousintegrationenvironments,givingyoucontinuoussecurityassessment
n Integrateswithversioncontrolsystemsand issuetrackingsystems
Easy to get startedn Fastandeasyinstallation—beupandrunning in10minutes
n Automaticallyinstalls,configures,andrunsbundledopensourceSASTtools
n Affordablypriced
Who finds Stat! useful?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analysts
How do they use it?n Secure software developmentn Security & Quality Assurance reviewsn Verification & Accreditation supportn Code auditsn Pre-procurement software evaluations
Stat!,fromCodeDx,helpsyoufind,analyze,andprioritizeflawsandsecurityvul-nerabilitiesinthecodeyouwrite—inthemanylanguagesyouuse—quickly,easily,andinexpensively.Stat!installs,configures,andrunsagrowingportfolioofopensourcecode-qualityandstaticapplicationsecuritytesting(SAST)toolsagainstyourcode,andcombinestheirfindingsintoasingleunifiedreport.ItsVulnerabilityAnal-ysisandManagementconsoleguidesinspectionandassessmentofthoseflawsandvulnerabilities,whilecollaborationfeaturesanddevelopmenttoolintegrationshelpmanagetheirremediation.Makeyourcodehealthyandsecure,withStat!
THE PROBLEM Over90%ofcomputersecurityincidentsareduetoqualityflawsandsecurityvulnerabilitiesinyourownsoftware.Thesecanrenderyourbusinessvulnerabletoattacks—thingslikeSQLinjection,orcross-sitescripting—leadingtotheft,lossorcorruptionofdata(andreputation),andworse.SASTtoolscanhelpyoufindtheseflawsandvulnerabilitiesatthemostbasiclevel:inyoursourcecode.Butnosingletoolcoversallprogramminglanguagesorfindseveryissue.Youhavetorunmultipletools,thencorrelatetheresults.Commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderabletimeandef-forttoconfigureandrun.Correlationistedious,atbest,andit’snearlyimpossibletomanagemultipleanalysistoolswithouthelp.
THE SOLUTION Stat!installs,configures,andrunsasuiteofmulti-languageopensourceSASTtoolsagainstyourcode,andautomaticallycorrelatestheflawsandvulnerabilitiestheyfindintoasingleconsolidatedset.JustfeedyourcodeintoStat!anditidentifiesthelanguagesyouuse,selectsandrunstoolsforeachlanguage,correlatesthefindings,andgivesasinglereport.Itevendeterminesthevulnerabilitystatusofthird-partylibrariesyourcodeuses.WithitsinteractiveVulnerabilityAnalysisandManagementconsole,Stat!letsthosemanytoolsworktogetherasasingle,unifiedcodeanalysisandvulnerabilitymanagementplatform.
FACT SHEET
FEATURE DETAILSOperating system supportWindows(7,8,10&Server2012R2+)MacOSX10.8+Linux(Ubuntu,Fedora,Debian, RHEL,andCentOS)
Language supportC/C++ C#,VB.NETJava Javascript JSP PHPPython RubyScala
IDE supportMSVisualStudioEclipse
Issue tracking supportJIRA
Continuous integration supportJenkins RESTAPI
Version control system supportGit
Third-party software library checkersOWASPDependency-CheckRetire.js
Free & open source SAST tool supportBrakeman CAT.NETPHPMD PHP_CodeSnifferCheckStyle CppCheckFindBugs FxCopGendarme JSHintPMD PylintScalaStyle
Get your application security program started, STAT! Stat!givesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.Launchtheinstaller,andwithintenminutesyou’llbereadytostartanalyzingyourcode.ThenjustloadallofyoursourcecodeintoStat!anditwillfigureoutwhatprogramminglanguagesyouuse,automaticallyselectandruntheappropriatetoolsforfindingflawsandvulnerabilitiesinthoselanguages,reviewyourthird-partylibrariesforknownvulnerabilitystate,thencorrelateandcombinethosevariedresultsintoasingle,unifiedreportonthesecurityandqualityofyourcode.
Theincludedanalysistoolswillhelpyouquicklyprioritizethereportedproblems,anditsintegrationwithsoftwaredevelopmentlifecycle(SDLC)toolsletsyouas-signthemforremediationandcollaboratewiththedeveloperswhoaremakingthefixes.Stat!canevenbecomepartofyourcontinuousintegrationprocess.
SpecificationsCode Dx Stat! canbeinstalledlocallyonadeveloper’sworkstation,oronaserverforgroupcollaboration.TogiveyouthegreatestflexibilityStat!runsonWindows,Linux,andMacOS,andsupportsallmodernbrowsers.
About Code Dx, Inc.CodeDxiscommittedtomakingsecuritypartofthesoftwaredevelopmentprocess,regardlessoforganizationsize.OurfamilyofproductsgrewfromresearchfundedbytheDepartmentofHomelandSecurityScience&Technology(DHSS&T)Directorate,anorganizationdedicatedtosecuringthenation’ssoftwaresupplychain.
CodeDxisproudtobeapartoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuoussoftwareassurance.
LEARN MORELearnmoreaboutStat!,downloadanevaluation,orpurchasetheproductbyvisit-ingourwebsite.Exploreotherproducts,includingCode Dx Enterprise — acompre-hensiveplatformforapplicationvulnerabil-itycorrelationandmanagement.Enterprise supportscommercialandopensourcetools,bothSAST(withallthefeaturesofStat!)anddynamic(DAST)tools,compliancestandardmapping,andmuchmore.
6BayviewAvenue,Northport,NY11768-1502www.codedx.com•631.759.3933•[email protected]
KEY FEATURES n Covers multiple programming languages, with over 1,500 configurable security
and quality rulesn Automatically installs, configures, and runs many static code analysis toolsn Checks third-party software component libraries for known vulnerabilitiesn Maps results to the Common Weakness Enumeration (CWE) and industry stan-
dards, including OWASP Top 10 and SANS Top 25 n Combines and normalizes output of multiple SAST tools and third-party vulner-
ability scanners into a single set of results using common nomenclature and a common severity scale
n Merges duplicate results with customizable correlation logicn Aids triage and prioritization of findings with visual analysisn Filters findings for high-level views with detailed drill-down; organizes findingsn Links correlated flaws and vulnerabilities to specific lines of source coden Manages remediation with tools to assign, track, and collaborate on fixes; inte-
grates with the popular JIRA issue tracker to automatically create tickets n Integrates with popular development tools (Eclipse/Visual Studio) to put find-
ings into the hands of developers who can fix them n Integrates with the Git version control system for easy access to your code,
and its historyn Embeds in the Jenkins continuous integration environment to build security
into your process; enables integration to other build servers with its REST APIn Generates CSV, XML, and PDF assessment reports