Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd...
Transcript of Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd...
![Page 1: Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd party software library checkers OWASP Dependency-Check 4 4 Retire.js 4 4 Commercial](https://reader033.fdocuments.us/reader033/viewer/2022042313/5edcf361ad6a402d6667da76/html5/thumbnails/1.jpg)
Find, prioritize, and visualize software vulnerabilities, fast and affordably
KEY BENEFITSEnhanced Vulnerability Coveragen Discovery of more weaknesses
than any single analysis tooln Higherconfidenceindetecting
weaknesses with multiple tools
Efficient and Prioritized Remediationn Rapidtriageoffalsepositives n Improvedassessmentofseverity andcriticalityn Sourcecodelinkedtovulnerabilities
Enhanced Collaborationn Securityanddevelopmentteamsnow haveasharedtooltocommunicate findingsanddiscussremediation
SDLC Tool Supportn Supportforintegrateddevelopment
environments (IDEs), continuous integrationenvironments,andversion control systems
Visualization and Interactionn Moreunderstandabledataformatn Focus on the most important weaknesses determinedbytheuser
Easy to Get Startedn Fastandeasyinstallation–upandrunning
in 10 minutesn Automaticallyrunsbundledopensource
SAST toolsn Affordablypricedforsmall-to-medium sizedbusinesses
Who uses Code Dx?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analystsn ComplianceAuditorsn Accreditorsn CISOs
Usesn Securesoftwaredevelopmentn Security & Quality Assurance reviewsn Verification&Accreditationsupportn Expeditedcompliancereviewsn Codeauditsn Pre-procurementsoftwareevaluations
CodeDxisasoftwarevulnerabilitymanagementsystemthatbringstogetheravarietyofcodeanalysistoolsthatenableyoutolocateandfixpotentialvulnerabilitiesinthecodeyouwrite,inthelanguagesyouuse,andatalowcost.
THE PROBLEMOver90%ofcomputersecurityincidentsareduetoweaknessesinsoftware.TheseweaknessescanexposevulnerabilitiesthatputyourbusinessatriskforattackssuchasSQLinjectionandcross-sitescripting,leadingtodataloss,corruption,orevenahosttakeover.Staticcodeanalysistoolscanhelpyoufindtheseweaknesses.However,commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderablehumanresourcestoconfigureandrun.Regardlessofwhetheryouarerunningacommercialoropensourcecodeanalysistool,nosingletoolprovidessufficientcodecoverage.Youhavetorunmultipletools,andtediouslycorrelatetheresults.
THE SOLUTIONCodeDxrunsasuiteofpreconfigured,fullyintegrated,multi-language,opensourcestaticcodeanalysistoolsagainstyourcodebase.Itcanalsoincorporatetheresultsofcommercialtoolsandmanualanalysis,andautomaticallycorrelatealltheweaknessesintoasingleconsolidatedset,viewablefromasingleuserinterface—withreportspresentedinaneasytounderstandvisualdisplay.
FACT SHEET
![Page 2: Find, prioritize, and visualize software vulnerabilities ... · OCLint 4 PMD 4 4 Pylint 4 4 3rd party software library checkers OWASP Dependency-Check 4 4 Retire.js 4 4 Commercial](https://reader033.fdocuments.us/reader033/viewer/2022042313/5edcf361ad6a402d6667da76/html5/thumbnails/2.jpg)
FEATURE COMPARISON (SE) (EE)Operating system supportWindows(7,8,andServer2008+) 4 4
MacOSX10.8+ 4 4
Linux(Ubuntu,Fedora,Debian, 4 4 RHEL,andCentOS)
Language supportC/C++ 4 4
Java 4 4
Javascript 4 4
JSP 4 4
.NET(C#,VisualBasic) 4 4
Python 4 4
Ruby 4 4
Free & open source SAST tool supportBrakeman 4 4
CAT.NET 4 4
CheckStyle 4 4
Clang 4
CppCheck 4 4
ErrorProne 4
FindBugs 4 4
FxCop 4 4
Gendarme 4 4
Jlint 4
JSHint 4 4
OCLint 4
PMD 4 4
Pylint 4 4
3rd party software library checkersOWASPDependency-Check 4 4
Retire.js 4 4
Commercial tool supportArmorizeCodeSecure 4
Checkmarx 4
Coverity 4
GrammaTechCodeSonar 4
HP Fortify 4
IBMAppScan 4
Parasoft 4
Veracode 4
IDE supportMSVisualStudio 4 4
Eclipse 4 4
Continuous integration supportJenkins 4 4
REST API 4 4
Version control system supportGit 4 4
6BayviewAvenue,Northport,NY11768•codedx.com(631)759-3993•[email protected]
Code Dx Standard Edition (SE)TheStandardEditiongivesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.JustloadyoursourcecodeintoCodeDxanditwillautomaticallyselecttheappropriatetoolsforfindingweaknesses.
Code Dx Enterprise Edition (EE)TheEnterpriseEditionprovidesallofthepowerfulfeaturesoftheStandardEdition–anditexpandsyourcoveragebyworkingseamlesslywithcommercialtestingtools.Atthesametime,itallowsforfindingstobeaddedmanually.Thecorrelationandnormalizationofresultsfrommultipletoolsproduceaconsolidatedsetofresults,withgreatercoverageofpotentialvulnerabilitiesandabetterassessmentofyouroverallsoftwaresecurityrisk.
KEY FEATURESn Automaticallyconfiguresandrunsmanybundledstaticsource codeanalysistools
n Checks3rdpartysoftwarecomponentlibrariesforknownvulnerabilitiesn Containsover1,500configurablesecurity/qualityrulescoveringmultiple
programming languages n Combinesandnormalizesoutputofmultipletoolsintoasingle consolidatedsetofresultsonacommonseverityscale
n Browser-baseduserinterfaceusedtoassign,collaborate,andtrack weaknessremediation
n Maps results to the Common Weakness Enumeration (CWE)n Linkscorrelatedweaknessestosourcecoden Visualanalyticsfortriageandprioritizationofsoftwareweaknessesn Robustdatafilteringsupportsdetaileddrill-downandorganization
of weaknessesn GeneratesCSV,XMLandPDFassessmentreportsn RESTAPIenablesintegrationwithautomatedbuildserversn Plug-insprovidesupportforpopularIntegratedDevelopmentEnvironmentsn Integratestheresultsfrommultiplecommercialstaticsourcecode
analysis tools (EE only)n Enablesmanualentryofindependentlyidentifiedweaknesses(EEonly)
SpecificationsCodeDxisabrowser-basedapplicationthatyouinstalllocally.TheapplicationrunsonWindows,LinuxandMacplatforms,andallmodernbrowsersaresupported.
About Code DxCodeDxgrewoutofresearchfundedbytheDepartmentofHomelandSecurityScience&TechnologyDirectorate.DHSiscommittedtoimproving thesecurityofthenation’sinformationinfrastructure.
CodeDxisproudtobeacomponentoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuous softwareassurance.