find, prioritize, and manage source€¦ · 2017-02-07  · easy static source code security and...

Easy static source code security and quality analysis, from

Find, prioritize, and manage source code flaws and vulnerabilities, quickly and affordably

KEY BENEFITSWe do the hard work for youn Automaticallyinstalls,configures,andrunsavarietyofopensourcetools

n Supportsmanyprogramminglanguages,andchoosestherighttoolforeachlanguage

n Combinesdiversetoolresultsintoasingle,coherentreport

n Determinesvulnerabilitystatusofthethird-partylibrariesthatyouuse

Analysis tools help you focusn Identifiesthemost-criticalvulnerabilitiesbasedonindustrystandards

n Visualanalyticshelpyourapidlytriageandprioritizesoftwareflawsandvulnerabilities

n De-duplicatesresults,soyoudon’twastetimeanalyzingthingstwice

Increases efficiency of your remediationn Takesyoudirectlytospecificlinesofcodewherevulnerabilitiesexist,andidentifiesneighboringflawsandvulnerabilities

n Providesseamlessinterfacetoassignvulnerabilitiesforremediation

n Tracksremediationprogress

Enhances collaboration among your teamsn Securityanddevelopmentteamshaveasharedtooltocommunicatefindingsanddiscussremediation

Works within your development processn Developerscanviewandmanagevulner-abilitiesdirectlyfromwithintheirintegrateddevelopmentenvironments(IDEs)

n Fitsintocontinuousintegrationenvironments,givingyoucontinuoussecurityassessment

n Integrateswithversioncontrolsystemsand issuetrackingsystems

Easy to get startedn Fastandeasyinstallation—beupandrunning in10minutes

n Automaticallyinstalls,configures,andrunsbundledopensourceSASTtools

n Affordablypriced

Who finds Stat! useful?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analysts

How do they use it?n Secure software developmentn Security & Quality Assurance reviewsn Verification & Accreditation supportn Code auditsn Pre-procurement software evaluations

Stat!,fromCodeDx,helpsyoufind,analyze,andprioritizeflawsandsecurityvul-nerabilitiesinthecodeyouwrite—inthemanylanguagesyouuse—quickly,easily,andinexpensively.Stat!installs,configures,andrunsagrowingportfolioofopensourcecode-qualityandstaticapplicationsecuritytesting(SAST)toolsagainstyourcode,andcombinestheirfindingsintoasingleunifiedreport.ItsVulnerabilityAnal-ysisandManagementconsoleguidesinspectionandassessmentofthoseflawsandvulnerabilities,whilecollaborationfeaturesanddevelopmenttoolintegrationshelpmanagetheirremediation.Makeyourcodehealthyandsecure,withStat!

THE PROBLEM Over90%ofcomputersecurityincidentsareduetoqualityflawsandsecurityvulnerabilitiesinyourownsoftware.Thesecanrenderyourbusinessvulnerabletoattacks—thingslikeSQLinjection,orcross-sitescripting—leadingtotheft,lossorcorruptionofdata(andreputation),andworse.SASTtoolscanhelpyoufindtheseflawsandvulnerabilitiesatthemostbasiclevel:inyoursourcecode.Butnosingletoolcoversallprogramminglanguagesorfindseveryissue.Youhavetorunmultipletools,thencorrelatetheresults.Commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderabletimeandef-forttoconfigureandrun.Correlationistedious,atbest,andit’snearlyimpossibletomanagemultipleanalysistoolswithouthelp.

THE SOLUTION Stat!installs,configures,andrunsasuiteofmulti-languageopensourceSASTtoolsagainstyourcode,andautomaticallycorrelatestheflawsandvulnerabilitiestheyfindintoasingleconsolidatedset.JustfeedyourcodeintoStat!anditidentifiesthelanguagesyouuse,selectsandrunstoolsforeachlanguage,correlatesthefindings,andgivesasinglereport.Itevendeterminesthevulnerabilitystatusofthird-partylibrariesyourcodeuses.WithitsinteractiveVulnerabilityAnalysisandManagementconsole,Stat!letsthosemanytoolsworktogetherasasingle,unifiedcodeanalysisandvulnerabilitymanagementplatform.

FACT SHEET

FEATURE DETAILSOperating system supportWindows(7,8,10&Server2012R2+)MacOSX10.8+Linux(Ubuntu,Fedora,Debian, RHEL,andCentOS)

Language supportC/C++ C#,VB.NETJava Javascript JSP PHPPython RubyScala

IDE supportMSVisualStudioEclipse

Issue tracking supportJIRA

Continuous integration supportJenkins RESTAPI

Version control system supportGit

Third-party software library checkersOWASPDependency-CheckRetire.js

Free & open source SAST tool supportBrakeman CAT.NETPHPMD PHP_CodeSnifferCheckStyle CppCheckFindBugs FxCopGendarme JSHintPMD PylintScalaStyle

Get your application security program started, STAT! Stat!givesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.Launchtheinstaller,andwithintenminutesyou’llbereadytostartanalyzingyourcode.ThenjustloadallofyoursourcecodeintoStat!anditwillfigureoutwhatprogramminglanguagesyouuse,automaticallyselectandruntheappropriatetoolsforfindingflawsandvulnerabilitiesinthoselanguages,reviewyourthird-partylibrariesforknownvulnerabilitystate,thencorrelateandcombinethosevariedresultsintoasingle,unifiedreportonthesecurityandqualityofyourcode.

Theincludedanalysistoolswillhelpyouquicklyprioritizethereportedproblems,anditsintegrationwithsoftwaredevelopmentlifecycle(SDLC)toolsletsyouas-signthemforremediationandcollaboratewiththedeveloperswhoaremakingthefixes.Stat!canevenbecomepartofyourcontinuousintegrationprocess.

SpecificationsCode Dx Stat! canbeinstalledlocallyonadeveloper’sworkstation,oronaserverforgroupcollaboration.TogiveyouthegreatestflexibilityStat!runsonWindows,Linux,andMacOS,andsupportsallmodernbrowsers.

About Code Dx, Inc.CodeDxiscommittedtomakingsecuritypartofthesoftwaredevelopmentprocess,regardlessoforganizationsize.OurfamilyofproductsgrewfromresearchfundedbytheDepartmentofHomelandSecurityScience&Technology(DHSS&T)Directorate,anorganizationdedicatedtosecuringthenation’ssoftwaresupplychain.

CodeDxisproudtobeapartoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuoussoftwareassurance.

LEARN MORELearnmoreaboutStat!,downloadanevaluation,orpurchasetheproductbyvisit-ingourwebsite.Exploreotherproducts,includingCode Dx Enterprise — acompre-hensiveplatformforapplicationvulnerabil-itycorrelationandmanagement.Enterprise supportscommercialandopensourcetools,bothSAST(withallthefeaturesofStat!)anddynamic(DAST)tools,compliancestandardmapping,andmuchmore.

6BayviewAvenue,Northport,NY11768-1502www.codedx.com•631.759.3933•info@codedx.com

KEY FEATURES n Covers multiple programming languages, with over 1,500 configurable security

and quality rulesn Automatically installs, configures, and runs many static code analysis toolsn Checks third-party software component libraries for known vulnerabilitiesn Maps results to the Common Weakness Enumeration (CWE) and industry stan-

dards, including OWASP Top 10 and SANS Top 25 n Combines and normalizes output of multiple SAST tools and third-party vulner-

ability scanners into a single set of results using common nomenclature and a common severity scale

n Merges duplicate results with customizable correlation logicn Aids triage and prioritization of findings with visual analysisn Filters findings for high-level views with detailed drill-down; organizes findingsn Links correlated flaws and vulnerabilities to specific lines of source coden Manages remediation with tools to assign, track, and collaborate on fixes; inte-

grates with the popular JIRA issue tracker to automatically create tickets n Integrates with popular development tools (Eclipse/Visual Studio) to put find-

ings into the hands of developers who can fix them n Integrates with the Git version control system for easy access to your code,

and its historyn Embeds in the Jenkins continuous integration environment to build security

into your process; enables integration to other build servers with its REST APIn Generates CSV, XML, and PDF assessment reports