Code Dx Enterprise

Code Dx Enterprise expands the value of your existing enterprise investment in commercial and open source static application security testing (SAST) and dynamic application security testing (DAST) tools. Before you ship or deploy any more software, you know that in today’s business environment overrun with web-based customer facing applications, it has become critical to write secure applications to protect the life-blood of your enterprise – its customer and product data.

Quality testing, SAST, DAST and manual testing must be done during the software development life cycle (SDLC) and prior to production in order to discover weaknesses that can be exploited BEFORE they become not only vulnerabilities, but corporate liabilities. Build Security In reports that 90 percent of today’s reported security problems are from application weaknesses, providing evidence that intruders are increasingly targeting the application stack. To protect your customer’s enterprise from security breaches traceable to insecure software and to reduce the liability of software developers from such breaches, it is essential to test code for security vulnerabilities during the SDLC.

What you may not know is that most testing tools fail to report a significant portion of code weaknesses in an application. In fact, benchmarking studies done by the National Security Agency’s (NSA) Center for Assured Software (CAS) found that the average SAST tool can only find 14 percent of the problems in an application. So, you have to use multiple SAST and DAST tools to find as many vulnerabilities as possible, and identify those particularly accessible to attackers. 

As a result, secure coding best practices recommend that you run your code through multiple SAST and DAST tools and combine the results. This is not easy: each tool produces a set of weaknesses with different naming conventions and severity ratings, so it’s really difficult to combine and compare software vulnerabilities found by multiple tools. And every tool that you add to your vulnerability analysis process – even open source SAST and DAST tools – adds time (and cost) for set-up, running the tools and interpreting the combined results.

You need a hybrid approach that combines static and dynamic analysis results and helps you manage their prioritization and remediation.

SAST or “white-box” testing finds weaknesses by performing a deep analysis of the actual code used to write the applications; it can be used to test early in the SDLC without actually having to run the application. SAST also provides comprehensive results because the entire application is tested, whereas DAST must first discover every individual execution path in the running application before testing it.

However, DAST or “black box” testing is also important because it identifies architectural weaknesses and vulnerabilities in your running web applications from the perspective of an attacker trying to break into the app. DAST also finds runtime issues that can’t easily be found by just looking at the code because DAST ensures that all of the components that your application has to interact with perform securely when the application is in action. Finally, when the source code is not available to be tested, running several DAST tests instead can fill that gap.

Adding DAST to Code Dx Enterprise makes the tool extremely powerful, as it is one of the first to provide users with a hybrid analysis mapping that integrates SAST and DAST (open source and commercial) tool results along with manual code review results in one centralized console.  This increases the likelihood of finding more vulnerabilities (what’s called “broadening vulnerability coverage”) and by looking through the lens of DAST testing shows the thousands of vulnerabilities that are actually visible to an external attacker (exposing what is called the “attack surface”). Add the fact that Code Dx Enterprise is testing for quality issues simultaneously, and you have a winning process in your organization.

“The nice thing about Code Dx Enterprise is that it is able to give you coverage comparison and show you which of the tools are finding which issues. That is actually a really nice feature. ”

Enterprise makes it easy to integrate SAST and DAST testing throughout the SDLC without forcing developers or testers to learn multiple user interfaces to run the multiple tools necessary to perform thorough testing. In the past, all of the results from SAST, DAST and manual testing needed to be collated by hand-entering all of this data in a spreadsheet. Using that spreadsheet to manage the remediation process of thousands of vulnerabilities was awkward at best, especially when a whole team of developers are being pressured to get applications out the door as quickly as possible.

How Code Dx Enterprise streamlines software vulnerability discovery and management

Code Dx Enterprise has changed the entire approach to application security testing by providing an incredibly affordable and efficient method for consolidating and managing the results of hybrid analysis techniques that include quality testing as well. It ships with several open source tools already bundled within it which it automatically runs against your source code. It also assesses the vulnerability status of third-party libraries in your code. Next, you feed in the results of any additional open source or commercial SAST and DAST tools you’ve run against the code or any manual analyses you’ve conducted. Code Dx’s new Tool Connectors also allow you to automatically incorporate the results from tools such as WhiteHat Sentinel and Checkmarx into the Code Dx analysis resultset. Combining the results of all these hybrid techniques gives you the data you need to get is a truly comprehensive view of the security and software assurance of your application.

But the magic is how Enterprise puts it all together for you: It takes all of the manual code analysis results along with testing results from multiple commercial and open source SAST and DAST tools and automatically normalizes them, deduplicates any redundant test results, tags false positives, identifies those considered to be most severe, and then consolidates all of the results in a centralized console.

“Clearly, Code Dx Enterprise would provide an overall time savings by correlating results from multiple products.”

Code Dx Enterprise’s centralized console and intuitive visual interface helps you manage the entire software vulnerability discovery and remediation process. Its customizable correlation logic deduplicates vulnerability results found by different tools. The results can then be triaged and filtered to focus in on the highest priority weaknesses first, guided by how Code Dx maps the vulnerabilities to industry standards of severity. From the console, security analysts or software managers can assign different weaknesses to different developers to fix. Because Code Dx Enterprise integrates with the JIRA issue tracking system used by many development teams, it slips easily into the workflow. Our findings can be easily mapped to custom JIRA fields, streamlining bug tracking and reporting. Code Dx Enterprise even points the developers to the specific offending line(s) of source code associated with each weakness to quickly assess and repair the flaw, and offers remediation guidance. In fact, that’s why we call ourselves “Code Dx”: because you get the actual diagnosis—the Dx—that explains the source of the vulnerabilities as well as a prescription—an Rx—to fix them.

In short, with Code Dx Enterprise you can track the progress of vulnerability discovery and remediation and report it at a level suitable to a developer or an executive.

“…provides a nice way to document progress on a report. Each weakness has an activity stream, where comments and status changes can be saved.”

Code Dx Enterprise Features

Updates and Support

  • All upgrades, new Enterprise releases, and additional tool support are included with current subscriptions
  • Future releases will expand the catalog of supported tools
  • Future releases will also include complete Hybrid Analysis Mapping correlation between SAST and DAST tools
  • Email and telephone support are available during normal business hours