Version 2.3 of Code Dx is now available. Here are some of the new features that we’ve added.

DISA STIG and HIPAA standards support

In this release, we’ve added two new standards to our Enterprise — DISA STIG (Defense Information Systems Agency Security Technical Implementation Guides) and HIPAA (Health Insurance Portability and Accountability Act). This is in addition to our previously supported standards, including OWASP Top 10, CWE/SANS Top 25, SEI CERT, PCI-DSS, CLASP, SFP, WASC, and 7PK.

HIPAA

As regulations and market pressures push various health care entities toward electronic storage for patient records, ensuring the security and privacy of patient information is more important than ever. Although the HIPAA regulations are broad, many issues found by application security testing tools show areas that may violate this standard, particularly sections §164.306, §164.308, and §164.312 in Subpart C. You can learn more about HIPAA compliance in our recent blog. With our new release of Code Dx, you can now see application security issues mapped to the various HIPAA regulations. This lets you find exactly which sections of your application are noncompliant. Here’s an example:

001

DISA STIG

DISA has released various STIGs to ensure the security of government systems. For software development, the pertinent document—the Application Security and Development Security Technical Implementation Guide—can be found here. Keep in mind that they have recently released a new version, 4.0. Code Dx supports both 4.0 and 3.1, the previous version. Users can now quickly filter the most serious CAT I findings or focus on certain areas of interest, such as Input Validation. It also provides bar charts that let you quickly identify the areas with the most issues. As shown below, we can see that the majority of the CAT I issues are related to input validation.

001

Sonatype Nexus support

Sonatype Nexus is a leading component lifecycle management (CLM) tool that analyzes your application’s open-source components for known vulnerabilities and license violations. This tool helps defend against A9-Using Components with Known Vulnerabilities in the OWASP Top 10, similar to Code Dx’s bundled OWASP Dependency-Check and Retire.js tools.

With Code Dx v2.3 Enterprise, users can automatically pull in their Sonatype Nexus data using Code Dx’s Tool Connectors. In this example below, the data will automatically be pulled from Sonatype Nexus into Code Dx every day at midnight.

003

Users can bring up Code Dx at any time to see the latest Sonatype Nexus results alongside their other testing activities, like SAST or DAST tools, or manual penetration testing issues. From there, you can use Code Dx to manage the findings. This includes triage, adding comments for developer remediation, generating reports, and creating JIRA issues

004

Redesigned Project page

We’ve changed the way our Project List page looks and interacts. Prior versions had a separate button to take a look at findings. To simplify things, we’ve created a link that also tells you the number of findings for the project. We also added some more information, such as the time of the last analysis and a stacked bar chart showing a breakdown of finding severity.

005

006

PHP and Scala support

PHP is a very simple language used by many of the most popular content management systems (CMS) like WordPress, Drupal, and Joomla. In Code Dx v2.3, after countless requests, we’ve added two great PHP static source code analysis tools — PHP Mess Detector (PHPMD) and PHP_CodeSniffer (along with the PHPCS-Security Audit extension). In all, we’ve added 923 new quality and security rules with these tools, which cover PHP, CSS, and JavaScript.

007

In response to further requests, we’ve also added an additional Scala static analysis tool. Code Dx now detects Scala source code and runs the newly bundled tool Scalastyle static source code analysis tool, which includes 63 rules. Our existing OWASP Dependency-Check and FindBugs (including the Find Security Bugs plugin) tools will be used against Scala based JVM bytecode as well.

008

Findings Page enhancements

We’ve made several enhancements to the Findings page in Code Dx with this new release.

First, we’ve made the filter area horizontally expandable. Just click the vertical line between the filter and table areas to expand. This was particularly important for some of the lengthier filters, like Codebase Location and Standards.

009

To further improve the readability of the filters, we now fold codebase location paths that have no children. For example, below you can see how the package name “java/org/wasp/webgoat” has been collapsed together rather than the user having to keep clicking to navigate to the child elements.

codebase-location

We’ve also added “Mitigated” as a new status option. This can be used for times when a finding isn’t truly fixed in code, but some mitigation is put in place. For example, a virtual patch such as a web application firewall (WAF) rule may be applied, which mitigates a problem without exactly resolving the issue. It will also carry over mitigation status from tools if they support it. This way if a finding is marked as mitigated in the tool, it will be transferred into Code Dx without further action.

012

Another addition is a new way to search. In previous versions, users could search by location, CWE, or Finding ID. In version 2.3, users can now also search by rule or tool. The criteria can be any text found in the name or grouping of a rule or tool. For example, searching for “inject” by rule or tool can match rules like “SQL Injection,” and tools like “PMD / Security / Possible SQL Injection”.

013

Add AppSec context to your favorite SIEM

Many organizations have security information and event management (SIEM) systems in place that monitor for security intrusions in real-time. These systems aggregate a collection of data, but typically focus on network and host logs. We think application security (AppSec) data can also be a valuable addition. Adding AppSec context to a SIEM will allow an analyst to develop correlation logic. For example, “If you see SQL Injections attacks on a given host, and know that host is running an application that is vulnerable to SQL Injection, then elevate the risk of that attack since there is a known vulnerability.” This can help an analyst weed through the vast number of alerts to determine which ones pose the greatest threat.

With Code Dx v2.3 Enterprise, users can now export their application security data in the Nessus file format, which can be imported by most SIEMs. Here’s an example of the Code Dx exported data displayed in AlienVault:

014

Check it out!

The Code Dx team hopes you will find these new features useful. A full list of changes can be found here. Don’t hesitate to contact us with your questions and comments. We appreciate feedback, and look forward to hearing from you.

If you haven’t used Code Dx yet, then download your free 30-day trial version today.