Stat!

Stat! is designed to remove some of the most prominent barriers to software security or software assurance testing. First of all, the industry itself is so new that building secure applications is very difficult. Then testing the software and how it interacts with all of the moving pieces during its development and before it is deployed on the World Wide Web is notoriously difficult, requiring the use of multiple tools. Each static analysis tool specializes in testing different aspects, so several have to be used to get a comprehensive view of the application’s code to effectively protect an organization’s most important asset-its data. Using several static application security testing (SAST) tools is complex because each tool needs to be downloaded, set-up and there is a learning curve to understand the user interface for each tool.

Code Dx automates this entire process and compares the thousands of discovered vulnerabilities to each other to eliminate data redundancies and to help filter out the false positives. Then Code Dx lets users easily view which vulnerabilities are critical to the security of the application itself.

“[Code Dx] has a unique and helpful view of the analysis of the tool output. I like the information provided at the top that allows me to select which tool to use, codebase location, CWE findings, severity, overlapping location count, and status of all of the weaknesses. The [Flow Viz] diagram shows a helpful view of where the weaknesses came from, which tool was able to detect them, and the severity of the weakness.”

Stat! significantly accelerates the entire software development life cycle (SDLC) because it embeds and automatically runs multiple open source SAST tools, combining and normalizing their results, and then provides a centralized visual interface to view, prioritize and track the remediation process for the entire team. In fact, Stat! pre-configures several open source tools and picks the right tools needed to accurately test your code for both quality and security vulnerabilities so both tasks can be accomplished at once. This is a significant competitive edge that Code Dx has in the market. Code Dx even includes a single interface for all the tools, dramatically reducing the learning curve.

At the same time, Code Dx uses the Open Web Application Security Project (OWASP) Dependency-Check and the Retire.js tools to check third-party libraries for any components used in the application that have known vulnerabilities. This is a key feature of Code Dx because most applications include many third-party components within their code, and industry research has proven that many of those components have vulnerabilities too!

And because Code Dx tests for quality problems and software assurance vulnerabilities simultaneously, every time the code is fixed to solve a problem, the quality of the application itself is improved. In fact, according to research done by the Software Engineering Institute at Carnegie Mellon University, improving software quality by reducing the number of errors also reduces the number of vulnerabilities and improves software security.

Just feed your source code into Code Dx. It automatically selects the appropriate tool for finding weaknesses and if the source code uses multiple languages, Code Dx will also run the appropriate tools for each language.

codedx2

Code Dx next takes the results and normalizes them to a common severity scale to eliminate the vulnerability redundancies that occur due to each tool using a different title for the same vulnerability. Most importantly, Code Dx is unique in the industry because it maps the weaknesses found to several widely used standards including the

Common Weakness Enumeration (CWE), DISA STIGHealth Insurance Portability & Accountability Act (HIPAA), the Open Web Application Security Project (OWASP) Top 10; CWE/SANS Top 25; the Payment Card Industry Data Security Standard (PCI DSS); CERT Java and C/++ coding standards; Seven Pernicious Kingdoms (7PK); the Web Application Security Consortium (WASC); the Comprehensive, Lightweight Application Security Process (CLASP); and Software Fault Patterns (SFP) to ensure the testing is as accurate as possible.

Code Dx then displays the adjusted results. Visualizations, such as the Flow Viz, are available to help rapidly view and sort the results, and diagnose the code. Vulnerability results that are duplicated by the different tools can be easily and automatically eliminated with customizable correlation logic. The results of a thousand or more vulnerabilities can then be triaged and filtered to focus first on the highest priority weaknesses and flag false positives. Users can also use Code Dx’s advanced search filter capability to look for specific types of vulnerabilities important to their organization and perform an in-depth exploration of these vulnerabilities. Security analysts or software managers can use Code Dx to assign different weaknesses to different developers to fix. Code Dx even points the developers to the specific offending line(s) of source code associated with each weakness to quickly assess and repair the flaw, and offers remediation guidance. In fact, that’s why we call the product Code Dx because you get the actual diagnosis—the Dx—that explains the source of the vulnerabilities as well as a prescription—an Rx—to fix them.

“Code Dx is pretty easy to set up and has little administrative burden for the actual user. We got it up and running in about 10 minutes!”

Code Dx is designed to fit seamlessly into the SDLC. It integrates directly with the Eclipse and Visual Studio Integrated Development Environments. If the source code to be analyzed is stored in Git, Code Dx will connect to the Git source control management system to retrieve the source code prior to running the SAST tools. Code Dx will also check for vulnerabilities in third-party software libraries which usually have industry-known vulnerabilities that have not been repaired yet. A REST API and Jenkins plugin allows build server integration to support continuous assurance and DevOps operations in progress. It also integrates with the JIRA bug tracking system and provides support for custom fields. JIRA is used by many development teams so the Code Dx findings will fit more easily into the developer’s workflow.

Stat! by Code Dx Features

Updates and Support

  • All upgrades and new Stat! releases are included with current subscriptions
  • Future releases will expand the catalog of static source code analysis tools.
  • Email and telephone support are available during business hours.

A browser-based application installed locally, Code Dx runs on Windows, Macintosh, Linux and all modern browser clients.

Your team can have Code Dx up and running and analyzing your code in minutes. Download a trial and check it out for yourself.

WordPress Lightbox Plugin