There’s a lot happening to expand the functionality and usability of Code Dx. Here are a few of the upcoming features we’re currently working on.
Hybrid Application Security Testing
Two methods for analyzing software security risks are dynamic application security testing (DAST) – an outside-in perspective – and static application security testing (SAST) – an inside-out perspective. Both have shortfalls. DAST findings do not give insight into the root cause, making remediation time consuming. SAST tools give you full breadth, but warn of weaknesses that are not exploitable. Correlating the results of SAST and DAST can overcome these individual challenges. With funding from the Department of Homeland Security Science & Technology Directorate, Code Dx is researching and developing Hybrid Application Security Testing (HAST) techniques.
In Code Dx Version 2.0, we completed a critical requirement for HAST: adding support for consuming and de-duplicating the results of DAST tools. In fact, we can now consume the results of the following DAST tools: IBM AppScan, HP WebInspect, Veracode, Acunetix, Netsparker, Burp Suite, OWASP ZAP and Arachni. Support for other tools will come in future versions of Code Dx.
Next on our list is to instrument an application under test using Interactive Application Security Testing (IAST) techniques to provide code level details to DAST findings. This will allow us to automatically correlate the SAST and DAST results to show the attack surface of the code; that is, what parts of the code are accessible to a potential attacker using dynamic penetration tools.
Metrics Driven Dashboard and Reporting
Code Dx will be adding both project level and enterprise level metrics driven dashboards and reporting. This will allow CISOs and software development managers to get an overview of application security trends. For example, CISOs and managers will be able to assess: what vulnerabilities are most prominent across the enterprise, how long it takes to fix SQL Injection weaknesses, and how developer training is helping to address certain types of vulnerabilities.
If you are interested in being a beta tester of any of these emerging capabilities, drop us a note through the Contact page.