Who uses Code Dx
Who uses Code Dx?
Software security, also known as software assurance, is the responsibility of many people across multiple departments inside an organization. During the Software Development Life Cycle (SDLC), there are many potential users of Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools and manual application security testing techniques, and all are potential users of the software vulnerability management capabilities of Code Dx.
Chief Information Security Officers (CISOs) know that software security is vital to their overall security strategy for the company. As a result, they have to ensure that the company devotes the appropriate time and resources to testing the software built within their organizations. At the same time, CISOs are requiring proof that the same kind of security testing be done by their software suppliers as well. Organizations whose security analysts already use a commercial application security testing tool such as HP Fortify or IBM AppScan, use Code Dx for three major reasons. First, Code Dx is affordable enough to put on each developer’s desk enabling security analysts further along the SDLC to add in the testing results of more expensive commercial tools. Second, Code Dx combines the results of many application security testing tools with manual testing results and analyzes third-party software components to improve overall vulnerability coverage. Third, Code Dx provides a centralized console that streamlines the management of software vulnerabilities by providing a consolidated view of all of the results from all of the software security tests conducted within the company. During the consolidation process, Code Dx removes duplicate vulnerabilities, prioritizes the importance of each vulnerability to fix, and flags any vulnerabilities that had been identified as false positives in prior analyses. The software vulnerability management provided by Code Dx can be used to assign any of the weaknesses to specific developers for remediation and as a result provides an easy to understand view of the software’s security status across the entire enterprise. This information can also be used to improve developers’ secure coding skills across all the tools to mitigate future vulnerabilities being built into applications as well.
Software Developers can use the SAST tools bundled into Code Dx to scan code during the SDLC, making it much less expensive to fix vulnerabilities right after they are found. Code Dx also integrates with their Integrated Development Environments (IDEs) or their issue tracker which makes it really easy to slip Code Dx into their regular workflow. This enables the continuous assurance and DevOps procedures in place at so many organizations today because new code can be scanned for vulnerabilities at each iteration. Code Dx also automatically assesses the vulnerability status of the third-party software components many developers incorporate into their application.
Software testers can use Code Dx to test for vulnerabilities and quality simultaneously to expand their testing capabilities and meet the enormous pressure to quickly finish the applications that are being built. Because of their unique capabilities to see each application as a whole, the testing can be better specified for each type of application to deliver more resilient software.
Software development managers can use the Code Dx application vulnerability correlation and management system to consolidate all testing results into one centralized console and use that console to assign remediation duties. This makes it much easier to track and manage the remediation process across the entire enterprise. As a result, managers can more effectively plan how to use their in-house resources and have the information they need to make decisions in advance to better meet multiple deadlines.
Security analysts can use Code Dx to check for weaknesses before an application is deployed, when it is less expensive to fix vulnerabilities and less risky to the organization. Being able to combine SAST, DAST and manual testing results of both open source and commercial testing tools into a consolidated set of results, with the most severe vulnerabilities already identified, broadens vulnerability coverage and speeds up decisions about which vulnerabilities to fix first. Industry benchmark tests show that the average tool finds only 14 percent of the vulnerabilities in just the source code alone, which is why multiple tools and techniques must be used in combination to increase the comprehensiveness of the testing process. However, that combination makes application security testing slow and tedious. Code Dx combines the results of SAST, DAST and manual analyses for you, and identifies those vulnerabilities considered the most severe based on a variety of industry standards such as the OWASP Top Ten or CWE/SANS Top 25. By comparing the results of SAST and DAST, the security analyst can also determine which weaknesses in the source code are accessible for exploitation by an attacker—clearly something that has to be addressed first. And because Code Dx is integrated into the software developer’s workflow, the security analyst can point the developers to the type of vulnerability, specific line(s) of code where the problem exists, and remediation guidance.
Security auditors can use Code Dx to see how weaknesses in the applications are related to industry standards such as the OWASP Top Ten or CWE/SANS Top 25. In an upcoming version of Code Dx, auditors will also be able to find evidence of software vulnerabilities associated with violations of compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
Educators can use Code Dx to facilitate the teaching of secure coding practices through our special program that offers free educational versions of Code Dx to qualified educational and training organizations. The skill to write secure applications has now become a critical need and universities are changing their curriculum to teach this skill. Code Dx provides a perfect platform to see the results of what each student developer is working on in order to improve their secure coding skills.