Code Dx Enterprise
Cut your testing time
Code Dx Enterprise automatically correlates your results for you, so you can spend your time fixing, not sorting.
Every organization knows that it should be testing the security of its applications in-house. But the reality is that the frantic pace of software development doesn’t always leave enough time for that. Even if there is time, it may only be enough to run a single tool, or a single type of tool, which does little to actually secure your application.
The truth of application security is that one tool won’t cover the whole thing. Static application security testing (SAST) tools, for example, scan your app’s source code for known vulnerabilities, but each one is better (or worse) at finding certain kinds of weaknesses. To make sure you don’t miss a thing, you need to use multiple tools (and multiple types of tools, but we’ll get to that later). That creates a whole new problem, however: you now have a stack of scan results from different tools, representing thousands of vulnerabilities. This is what makes testing so time-consuming: figuring out which flags are real, and weeding out duplicate results. This typically results in an unlucky security specialist (or, more likely, several security specialists) manually reviewing each issue, correlating them with a different technique, and confirming whether or not they are important enough to bring to the DevOps team.
Code Dx Enterprise takes the results of all of your scans, processes them, and gives you a short list with no duplicates. It even points out which vulnerabilities were found by more than one tool, and provides an easy interface to prioritize each one based on severity. This can cut your testing time down, and get your application secured without falling behind schedule.
Code Dx Enterprise will automatically check your vulnerabilities against common compliance standards.
Finding out that your application actually violates some kind of regulation—and that you may now be on the hook for fines—is a nightmare scenario for a development organization of any size. Even fixing the violations and fighting the fines in court will carry hefty legal fees, even if you prevail—not to mention bad press (consumers don’t usually respond enthusiastically to a headline declaring, “Development Organization Fined for Violating the Health Information Portability and Accountability Act”), and loss of market confidence.
It’s really better to just make sure your software is compliant while you’re writing it. Code Dx Enterprise can take care of that for you.
Code Dx Enterprise checks your codebase against various regulations, such as HIPAA, the DISA-STIG, and the PCI DSS. Any lines of code that violate those regulations are flagged, and the exact nature of the violation is shown, along with ways to make it compliant. Instead of reading through hundreds of pages of regulations, focus on making your application as good (and secure!) as it can be. We’ll handle the rest.
Make your developers part of the security team
Hand your developers a short list of real vulnerabilities to fix, not a long list of potential issues.
Nobody wants to go back and change their code, especially if it’s working well. Developers are understandably reluctant to “fix” their code unless they absolutely have to. Nothing can alienate a dev team like being handed a list of thousands of potential vulnerabilities, the majority of which may not even be real. A big part of the security team’s job is to verify their findings before handing them off to the dev team to fix.
Code Dx Enterprise shoulders a lot of that burden. While SAST tools scan the source code (a process that always returns that long list of errors), dynamic application security testing (DAST) tools run from the outside-in. These tools use similar approaches to penetration tests—in fact, a lot of them use pen testing as part of their process—to find exploits. In other words, while SAST tools can tell you that there are fifteen doors in your house, DAST tools tell you which ones are unlocked.
What Code Dx Enterprise does is take the results of SAST and DAST tools, then combines and correlates them. This returns a list that is much shorter, with vulnerabilities that are verified and immediately actionable.
Key features of Code Dx Enterprise
- Automatically combines and correlates the output from multiple tools and manual findings into a single set of results
- Supports commercial SAST, DAST, and IAST tools
- Includes bundled SAST tools to get you started
- Checks your codebase against regulations such as HIPAA
- Manages remediation with tools to assign and track vulnerability fixes
- Integrates with the JIRA issue tracking tool
- Integrates with popular development environments (like Eclipse) so developers can more easily fix them
- Embeds in continuous integration environments to streamline your process
- Integrates with other build servers with its REST API
- Supports XML input for integration with custom or proprietary analysis tools
- Provides results in SIEM format for analysis by your network security team
- Generates reports in a variety of formats
- Checks your third-party components for vulnerabilities with Software Composition Analysis tool support
- Maps vulnerabilities to the Common Weakness Enumeration
Key benefits of Code Dx Enterprise
- Better vulnerability coverage
- Fewer false positives
- No duplicate results
- Automate the tedious and lengthy process of combining multiple outputs
- Automate the expensive, labor-intensive task of correlating the results until you’re left with actionable data
- Automatically select and run a collection of open-source SAST tools and third-party library analyzers against your code
Updates and support
- All upgrades, new Enterprise releases, and additional tool support are included with current subscriptions
- Future releases will expand the catalog of supported tools
- Future releases will also include complete Hybrid Analysis Mapping correlation between SAST and DAST tools
- Email and telephone support, available during normal business hours