Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd...
2
Find, prioritize, and visualize software vulnerabilities, fast and affordably KEY BENEFITS Enhanced Vulnerability Coverage n Discovery of more weaknesses than any single analysis tool n Higher confidence in detecting weaknesses with multiple tools Efficient and Prioritized Remediation n Rapid triage of false positives n Improved assessment of severity and criticality n Source code linked to vulnerabilities Enhanced Collaboration n Security and development teams now have a shared tool to communicate findings and discuss remediation SDLC Tool Support n Support for integrated development environments (IDEs), continuous integration environments, and version control systems Visualization and Interaction n More understandable data format n Focus on the most important weaknesses determined by the user Easy to Get Started n Fast and easy installation – up and running in 10 minutes n Automatically runs bundled open source SAST tools n Affordably priced for small- to - medium sized businesses Who uses Code Dx? n Software Developers n Security Analysts n Software Testers n Quality Assurance Analysts n Compliance Auditors n Accreditors n CISOs Uses n Secure software development n Security & Quality Assurance reviews n Verification & Accreditation support n Expedited compliance reviews n Code audits n Pre-procurement software evaluations Code Dx is a software vulnerability management system that brings together a variety of code analysis tools that enable you to locate and fix potential vulnerabilities in the code you write, in the languages you use, and at a low cost. THE PROBLEM Over 90% of computer security incidents are due to weaknesses in software. These weaknesses can expose vulnerabilities that put your business at risk for attacks such as SQL injection and cross-site scripting, leading to data loss, corruption, or even a host takeover. Static code analysis tools can help you find these weaknesses. However, commercial tools are typically costly, and while open source tools are “free,” they still require considerable human resources to configure and run. Regardless of whether you are running a commercial or open source code analysis tool, no single tool provides sufficient code coverage. You have to run multiple tools, and tediously correlate the results. THE SOLUTION Code Dx runs a suite of preconfigured, fully integrated, multi-language, open source static code analysis tools against your code base. It can also incorporate the results of commercial tools and manual analysis, and automatically correlate all the weaknesses into a single consolidated set, viewable from a single user interface—with reports presented in an easy to understand visual display. FACT SHEET
Transcript of Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd...
Find, prioritize, and visualize software vulnerabilities, fast and affordably
KEY BENEFITSEnhanced Vulnerability Coveragen Discovery of more weaknesses
than any single analysis tooln Higherconfidenceindetecting
weaknesses with multiple tools
Efficient and Prioritized Remediationn Rapidtriageoffalsepositives n Improvedassessmentofseverity andcriticalityn Sourcecodelinkedtovulnerabilities
Enhanced Collaborationn Securityanddevelopmentteamsnow haveasharedtooltocommunicate findingsanddiscussremediation
SDLC Tool Supportn Supportforintegrateddevelopment
environments (IDEs), continuous integrationenvironments,andversion control systems
Visualization and Interactionn Moreunderstandabledataformatn Focus on the most important weaknesses determinedbytheuser
Easy to Get Startedn Fastandeasyinstallation–upandrunning
in 10 minutesn Automaticallyrunsbundledopensource
SAST toolsn Affordablypricedforsmall-to-medium sizedbusinesses
Who uses Code Dx?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analystsn ComplianceAuditorsn Accreditorsn CISOs
Usesn Securesoftwaredevelopmentn Security & Quality Assurance reviewsn Verification&Accreditationsupportn Expeditedcompliancereviewsn Codeauditsn Pre-procurementsoftwareevaluations
CodeDxisasoftwarevulnerabilitymanagementsystemthatbringstogetheravarietyofcodeanalysistoolsthatenableyoutolocateandfixpotentialvulnerabilitiesinthecodeyouwrite,inthelanguagesyouuse,andatalowcost.
THE PROBLEMOver90%ofcomputersecurityincidentsareduetoweaknessesinsoftware.TheseweaknessescanexposevulnerabilitiesthatputyourbusinessatriskforattackssuchasSQLinjectionandcross-sitescripting,leadingtodataloss,corruption,orevenahosttakeover.Staticcodeanalysistoolscanhelpyoufindtheseweaknesses.However,commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderablehumanresourcestoconfigureandrun.Regardlessofwhetheryouarerunningacommercialoropensourcecodeanalysistool,nosingletoolprovidessufficientcodecoverage.Youhavetorunmultipletools,andtediouslycorrelatetheresults.
THE SOLUTIONCodeDxrunsasuiteofpreconfigured,fullyintegrated,multi-language,opensourcestaticcodeanalysistoolsagainstyourcodebase.Itcanalsoincorporatetheresultsofcommercialtoolsandmanualanalysis,andautomaticallycorrelatealltheweaknessesintoasingleconsolidatedset,viewablefromasingleuserinterface—withreportspresentedinaneasytounderstandvisualdisplay.
FACT SHEET
FEATURE COMPARISON (SE) (EE)Operating system supportWindows(7,8,andServer2008+) 4 4
MacOSX10.8+ 4 4
Linux(Ubuntu,Fedora,Debian, 4 4 RHEL,andCentOS)
Language supportC/C++ 4 4
Java 4 4
Javascript 4 4
JSP 4 4
.NET(C#,VisualBasic) 4 4
Python 4 4
Ruby 4 4
Free & open source SAST tool supportBrakeman 4 4
CAT.NET 4 4
CheckStyle 4 4
Clang 4
CppCheck 4 4
ErrorProne 4
FindBugs 4 4
FxCop 4 4
Gendarme 4 4
Jlint 4
JSHint 4 4
OCLint 4
PMD 4 4
Pylint 4 4
3rd party software library checkersOWASPDependency-Check 4 4
Retire.js 4 4
Commercial tool supportArmorizeCodeSecure 4
Checkmarx 4
Coverity 4
GrammaTechCodeSonar 4
HP Fortify 4
IBMAppScan 4
Parasoft 4
Veracode 4
IDE supportMSVisualStudio 4 4
Eclipse 4 4
Continuous integration supportJenkins 4 4
REST API 4 4
Version control system supportGit 4 4
6BayviewAvenue,Northport,NY11768•codedx.com(631)759-3993•[email protected]
Code Dx Standard Edition (SE)TheStandardEditiongivesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.JustloadyoursourcecodeintoCodeDxanditwillautomaticallyselecttheappropriatetoolsforfindingweaknesses.
Code Dx Enterprise Edition (EE)TheEnterpriseEditionprovidesallofthepowerfulfeaturesoftheStandardEdition–anditexpandsyourcoveragebyworkingseamlesslywithcommercialtestingtools.Atthesametime,itallowsforfindingstobeaddedmanually.Thecorrelationandnormalizationofresultsfrommultipletoolsproduceaconsolidatedsetofresults,withgreatercoverageofpotentialvulnerabilitiesandabetterassessmentofyouroverallsoftwaresecurityrisk.
KEY FEATURESn Automaticallyconfiguresandrunsmanybundledstaticsource codeanalysistools
n Checks3rdpartysoftwarecomponentlibrariesforknownvulnerabilitiesn Containsover1,500configurablesecurity/qualityrulescoveringmultiple
programming languages n Combinesandnormalizesoutputofmultipletoolsintoasingle consolidatedsetofresultsonacommonseverityscale
n Browser-baseduserinterfaceusedtoassign,collaborate,andtrack weaknessremediation
n Maps results to the Common Weakness Enumeration (CWE)n Linkscorrelatedweaknessestosourcecoden Visualanalyticsfortriageandprioritizationofsoftwareweaknessesn Robustdatafilteringsupportsdetaileddrill-downandorganization
of weaknessesn GeneratesCSV,XMLandPDFassessmentreportsn RESTAPIenablesintegrationwithautomatedbuildserversn Plug-insprovidesupportforpopularIntegratedDevelopmentEnvironmentsn Integratestheresultsfrommultiplecommercialstaticsourcecode
analysis tools (EE only)n Enablesmanualentryofindependentlyidentifiedweaknesses(EEonly)
SpecificationsCodeDxisabrowser-basedapplicationthatyouinstalllocally.TheapplicationrunsonWindows,LinuxandMacplatforms,andallmodernbrowsersaresupported.
About Code DxCodeDxgrewoutofresearchfundedbytheDepartmentofHomelandSecurityScience&TechnologyDirectorate.DHSiscommittedtoimproving thesecurityofthenation’sinformationinfrastructure.
CodeDxisproudtobeacomponentoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuous softwareassurance.
![Oh Pretty Woman4sc].pdfã ### ### ### ### ### ### ### ### 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4](https://static.fdocuments.us/doc/165x107/60cfb349cd0cbb00d32b6774/oh-pretty-woman-4scpdf-4-4-4-4-4-4-4-4-4-4.jpg)
![Welcome [s3.eu-central-1.amazonaws.com]...bb bb bb bb bb # # # # # b b bb bb bb bb bb bb bb bb 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 44 4](https://static.fdocuments.us/doc/165x107/5e9f761d9d1aa23b1a09f03e/welcome-s3eu-central-1-bb-bb-bb-bb-bb-b-b-bb-bb-bb-bb-bb-bb-bb.jpg)
