For Security Analysts

Better coverage, better reporting, better communication

Are you trying to use several Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to get decent security testing coverage? Tired of wasting time consolidating multiple data sets, one from each tool? Code Dx Enterprise solves these problems by aggregating the results of best-of-breed SAST and DAST tools with any manual testing results, deduplicating the results, and presenting them in a single, intuitive interface through which you can collaborate with the development team. In just minutes, ALL of the quality and vulnerability testing results are fully correlated and visually presented based on criticality!

You always need multiple SAST and DAST tools to get the whole story

As you know, the world is finally paying attention to the need for writing secure applications and that means you need to test the applications for security vulnerabilities before the code is released. Someone’s going to do that testing, and it’s probably you. The problem is that the average SAST tool covers only 8 of 13 weaknesses classes, and finds only 22 percent of the flaws in each weakness class according to the Center for Assured Software 2010 benchmarking study. In fact, your average SAST tool is likely to find only 14 percent of the vulnerabilities in the code you’re testing. Fortunately, each tool tends to find different classes of weaknesses which is why savvy security analysts use multiple SAST and DAST tools today to do their testing.

The problem is you are at a severe disadvantage when it’s time to combine, prioritize and communicate those results to the developers. Each SAST and DAST tool assesses vulnerabilities differently: their naming conventions, severity rating methodologies and reports are not synchronized. Without Code Dx, in order to adequately test applications and communicate the results with anyone else in the company, you would have to generate a lot of manual reports and documentation about the vulnerabilities you found. It’s nearly impossible to do a really good job at this because creating an all-encompassing, prioritized report for the developers that take your company’s concerns into account and is based on industry standards such as the OWASP Top Ten could take hours or days of research that would just have to be repeated again for the next report.

Eliminate the multiple-tool headache

Code Dx Enterprise solves these problems because it automates this entire process by aggregating the test results of all of your SAST, DAST and manual testing results into a single centralized console that installs in about 10 minutes. Code Dx EE even automates the running of the tools appropriate to the application code you feed it, then normalizes and synchronizes the results and presents the findings in a visual, prioritized display that’s easy for anyone to use.

In fact, you will be able to see at a glance which areas pose the most concern because the results are displayed in a highly visual and actionable way. Any vulnerability can be looked at in detail and Code Dx, both Stat! and Enterprise, will show the developer the exact line(s) of offending code when using the SAST tools–which will be highly appreciated by the team as a whole. Detailed explanations of the weaknesses are provided, as well as remediation guidance and mechanisms for real-time collaboration with other developers and testers.

If you’re just testing source code and haven’t made investments in any commercial SAST or DAST tools, then Stat! may be the most affordable and easy solution for you.  To use Stat!, all you have to do is feed your source code into Code Dx, and it will automatically select and run preconfigured open source SAST tools for finding weaknesses in Java, JSP, JavaScript, C, C++, C#, VB.NET, Ruby, and XML/XSL. If your source code uses multiple languages, Code Dx will automatically run the appropriate tools for each language.

If you want to incorporate and compare the results of SAST, DAST or manual analyses—or if you want to consolidate the results of several commercial tools your organization has already invested in–Code Dx Enterprise is the way to go. Enterprise runs a bundled set of open source SAST tools for you, and also makes it easy for you to feed in the results of other SAST, DAST and manual analyses. The DAST capability is especially useful if you don’t have easy access to the source code.

Whether you use Code Dx Enterprise or Stat!, Code Dx will deliver to you a consolidated, deduplicated set of software weaknesses. Code Dx will also:

  • Combine and normalize the results from multiple tools into a single consolidated set of results on a common severity scale
  • Display the overlapping results of individual tools
  • Compare the results between tools
  • Map the results to the industry standards for severity of software vulnerabilities. These standards include the Common Weakness Enumeration (CWE), the Open Web Application Security Project (OWASP) Top 10; CWE/SANS Top 25; the Payment Card Industry Data Security Standard (PCI DSS); CERT Java and C/++ coding standards; Seven Pernicious Kingdoms (7PK); the Web Application Security Consortium (WASC); the Comprehensive, Lightweight Application Security Process (CLASP); and Software Fault Patterns (SFP)
  • Correlate weaknesses to the exact line of offending source code
  • Merge duplicate results with customizable correlation logic
  • Provide visual analytics for rapid triaging and prioritizing vulnerabilities
  • Provide a browser-based, visual user interface to assign, collaborate and track the entire remediation process
  • Carry-over triage settings and comments from tools to further streamline the triage process
  • Perform in-depth exploration of all of the results using an advanced search filter
  • Upload data incrementally to choose which results to upload when
  • Generate CSV, XML and PDF reports
  • Use a browser-based user interface to assign, collaborate and track the entire remediation process
  • Integrate with JIRA issue trackers to associate Code Dx findings with JIRA issues and assign them to the development team for remediation, and provide support for custom JIRA fields
  • Use a REST API to automate build server integration to enable continuous assurance or a DevOps procedure already in-house

Bottom line: These capabilities will make your developers and your managers much happier!

The best way to use Code Dx

As a security analyst doing the testing, you can use Stat! early in the Software Development Life Cycle (SDLC) to automatically run pre-configured SAST tools against your source code to find both quality and security weaknesses in the code. This allows you to work with a developer to fix those problems early when fixing costs very little. Code Dx integrates with both the Eclipse and Visual Studio Integrated Development Environments (IDE) so it fits easily within the workflow of the development team. You feed the code into Stat! and it figures out which languages the code is written in, selects the right SAST tool(s), runs the tools automatically, and gives you a report of the results down to the line of code where a potential vulnerability occurs. Then you can ask the developer about just the specific offending line(s) of code instead of forcing the developers to look at the entire application.

In addition to finding software weaknesses, Code Dx tells you which ones are considered to be the most severe based on industry standards to guide the prioritization and remediation process. In fact, Code Dx gives you the ability to assign and track the vulnerabilities to be fixed, offers remediation guidance, and integrates with the JIRA issue tracking system. Finally, Code Dx runs special tools on the third-party libraries you’ve incorporated into your code, and tells you if those libraries have known vulnerabilities that the developers need to fix prior to deployment.

Further along the SDLC, you or your security team may also want to conduct dynamic penetration testing of your web app using Dynamic Application Security Testing (DAST) tools. Whereas SAST or “white-box” testing performs a deep analysis of the actual code to find vulnerabilities early in the SDLC, DAST tests the entire application while it is running. DAST is sometimes called “black box” testing because it mimics what the attacker would see without the benefit of knowing the source code.

If you or your security team wants to run both SAST and DAST tools (a hybrid analysis approach), or combine either of those results with the findings from your manual code reviews, then you’ll want to use Code Dx Enterprise. Enterprise consolidates the results from manual code reviews with results from SAST and DAST (open source and commercial) testing tools in one centralized console that can be used to run and track the entire remediation process. As a result, it is extremely easy to get a clear, prioritized picture of the application’s quality and vulnerability issues to be able to make confident decisions on how to address these problems.

Whether you run Stat! or Enterprise, the application vulnerability correlation and management system installs and runs in minutes, normalizes the results, and presents them in a visual display making it easy to triage and prioritize the results, assign and track remediation tasks, and effectively collaborate with the development team.

Learn one tool to get fast, meaningful results

One of the best parts of Code Dx is that you only have to use a single, unified interface to view the results of multiple SAST, DAST and manual analyses, and to collaborate with the development team. A browser-based application that you install locally, Code Dx runs on Windows, Mac, Linux, and all modern browser clients. Download a free trial and take it on a test spin. We guarantee you won’t regret it.