Why use Code Dx?
Most computer security incidents can be traced back to weaknesses in software that were inadvertently put there when the code was developed. Attackers can–and very often do–find and exploit such weaknesses as a means to attack your organization’s applications. In today’s business environment replete with so many web-based customer facing applications, it is critical that before you deploy another application, you must test its security and software assurance to discover any weaknesses that puts your organization’s data and reputation at risk.
Software security best practices recommend use a hybrid analysis approach that consists of Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and manual testing to get the most comprehensive look at an application’s security posture and its software assurance. SAST tools are used to test the application from the inside out also known as “white box testing.” SAST tools test the source code, the byte code or the binaries line by line and will actually identify the exact source causing any weakness in the code. By detecting these flaws early in the Software Development Life Cycle (SDLC), it is much less expensive to find weaknesses and fix them before they can become true vulnerabilities that put the organization at risk.
DAST tools test from the outside looking in, which takes place while the application is running. This is typically referred to as “black box testing” because DAST tools try to penetrate the application in a variety of ways just like a hacker would try to do. Source code, byte code and binaries are not required when using DAST tools; and DAST tools are sometimes easier and less expensive than SAST tools. On the other hand, DAST tools are unable to isolate the exact site of a weakness in the code and have difficulty following coding guidelines. Nevertheless, by providing the outside in perspective, DAST tools can provide valuable insight and are ideal to use before an application goes live. They are particularly useful when the application’s source code is not available to be tested.
But the big problem is that you can’t just run one SAST and one DAST tool. In fact, your average SAST tool is likely to find only 14% of the vulnerabilities in your code! Benchmarks tests have proven that each tool has a different specialty and to get a truly comprehensive view of your application’s vulnerabilities, it is necessary to run several SAST and DAST tools to identify both the broadest number of vulnerabilities as well as the subset of those vulnerabilities which are most easily accessible to an attacker. Unfortunately when you run multiple tools, each tool has its own vocabulary to define an exploit, so figuring out what tools overlap and where they do is very confusing and time consuming.
Code Dx Solution
Code Dx Enterprise solves this problem. It interacts with and integrates results of many open source and commercial SAST tools, open source and commercial DAST tools, and the results of manual code reviews. It also comes bundled with multiple, open source, preconfigured SAST tools. Once you feed your code into Code Dx Enterprise, it automatically figures out what open source tools to run against the source code, runs the tools, find the weaknesses, checks the vulnerability status of third-party components incorporated into the source code, consolidates and removes redundant results of multiple tools, normalizes them so that the results all use the same terminology and severity scale, and presents the unified set in a centralized console with an interface for managing the vulnerabilities.
By managing, we mean triaging and prioritizing the vulnerabilities, assigning them with built-in remediation guidance to developers, and tracking the remediation process. Because Code Dx Enterprise integrates with build servers and issue trackers, it fits well into today’s DevOps environments and streamlines collaboration between security and development teams.
Code Dx Stat! is a reduced capability tool that focuses on just one aspect of this process: applying open source static analysis tools to finding the vulnerabilities in your source code. Stat! begins with installing its bundled open source SAST tools, then gives you all of the features of Enterprise that are related to software vulnerabilities identified by those open source tools.
In detail, Code Dx tools give you:
Broader Coverage of Weaknesses Correlates results of multiple SAST and DAST tools into a single set. You will see more potential vulnerabilities, and be able to rapidly drill down to the most important ones.
Normalized Results Removes overlaps, and puts them on a common severity scale. Visualizes, analyzes and filters the combined result sets from a single user interface.
Prioritization and Focus Speeds triage of high volume results and assignment of highest-priority vulnerabilities for remediation. Helps identify and disseminate false positives so they don’t re-appear.
Shared Interface with Custom Details Shows granularity of information needed by different users. Developers can view code in the context of their hierarchy and dependencies.
Relevant Reports Includes advanced reporting features and visualizations which compare the results to the highest industry standards. An upcoming release will also map the static tool results to regulatory compliance issues.
Affordable and Easy to Use Embeds and automatically runs open source SAST tools for use with or without commercial tools. Stat! is priced for a small business budget.
Code Dx Benefits
Coverage – Find more important vulnerabilities in your source code and in your application while it is running
- Combine multiple tool results to find more vulnerabilities. Stat! combines results from embedded open source SAST tools. Enterprise combines results from both open source and commercial SAST and DAST tools, along with results from manual code reviews.
- Prioritize combined results to highlight most important weaknesses
- Filter out overlapping results and false positives
Efficiency – Save remediation time and resources by finding and fixing early in the SDLC
- Developers remediate highest priority vulnerabilities first
- Remediation can take 7–10 hours per vulnerability when it is delayed until later in the SDLC
Communication – Share results up and down the chain
- Visual analytics and reports are consumable by various roles and expertise
Ease-of-use – Get started quickly and inexpensively
- Code Dx embeds and automatically runs open source tools
- Affordable to businesses of all sizes