Easy static source code security and quality analysis, from
Find, prioritize, and manage source code flaws and vulnerabilities, quickly and affordably
KEY BENEFITSWe do the hard work for youn Automaticallyinstalls,configures,andrunsavarietyofopensourcetools
n Supportsmanyprogramminglanguages,andchoosestherighttoolforeachlanguage
n Combinesdiversetoolresultsintoasingle,coherentreport
n Determinesvulnerabilitystatusofthethird-partylibrariesthatyouuse
Analysis tools help you focusn Identifiesthemost-criticalvulnerabilitiesbasedonindustrystandards
n Visualanalyticshelpyourapidlytriageandprioritizesoftwareflawsandvulnerabilities
n De-duplicatesresults,soyoudon’twastetimeanalyzingthingstwice
Increases efficiency of your remediationn Takesyoudirectlytospecificlinesofcodewherevulnerabilitiesexist,andidentifiesneighboringflawsandvulnerabilities
n Providesseamlessinterfacetoassignvulnerabilitiesforremediation
n Tracksremediationprogress
Enhances collaboration among your teamsn Securityanddevelopmentteamshaveasharedtooltocommunicatefindingsanddiscussremediation
Works within your development processn Developerscanviewandmanagevulner-abilitiesdirectlyfromwithintheirintegrateddevelopmentenvironments(IDEs)
n Fitsintocontinuousintegrationenvironments,givingyoucontinuoussecurityassessment
n Integrateswithversioncontrolsystemsand issuetrackingsystems
Easy to get startedn Fastandeasyinstallation—beupandrunning in10minutes
n Automaticallyinstalls,configures,andrunsbundledopensourceSASTtools
n Affordablypriced
Who finds Stat! useful?n Software Developersn Security Analystsn Software Testersn Quality Assurance Analysts
How do they use it?n Secure software developmentn Security & Quality Assurance reviewsn Verification & Accreditation supportn Code auditsn Pre-procurement software evaluations
Stat!,fromCodeDx,helpsyoufind,analyze,andprioritizeflawsandsecurityvul-nerabilitiesinthecodeyouwrite—inthemanylanguagesyouuse—quickly,easily,andinexpensively.Stat!installs,configures,andrunsagrowingportfolioofopensourcecode-qualityandstaticapplicationsecuritytesting(SAST)toolsagainstyourcode,andcombinestheirfindingsintoasingleunifiedreport.ItsVulnerabilityAnal-ysisandManagementconsoleguidesinspectionandassessmentofthoseflawsandvulnerabilities,whilecollaborationfeaturesanddevelopmenttoolintegrationshelpmanagetheirremediation.Makeyourcodehealthyandsecure,withStat!
THE PROBLEM Over90%ofcomputersecurityincidentsareduetoqualityflawsandsecurityvulnerabilitiesinyourownsoftware.Thesecanrenderyourbusinessvulnerabletoattacks—thingslikeSQLinjection,orcross-sitescripting—leadingtotheft,lossorcorruptionofdata(andreputation),andworse.SASTtoolscanhelpyoufindtheseflawsandvulnerabilitiesatthemostbasiclevel:inyoursourcecode.Butnosingletoolcoversallprogramminglanguagesorfindseveryissue.Youhavetorunmultipletools,thencorrelatetheresults.Commercialtoolsaretypicallycostly,andwhileopensourcetoolsare“free,”theystillrequireconsiderabletimeandef-forttoconfigureandrun.Correlationistedious,atbest,andit’snearlyimpossibletomanagemultipleanalysistoolswithouthelp.
THE SOLUTION Stat!installs,configures,andrunsasuiteofmulti-languageopensourceSASTtoolsagainstyourcode,andautomaticallycorrelatestheflawsandvulnerabilitiestheyfindintoasingleconsolidatedset.JustfeedyourcodeintoStat!anditidentifiesthelanguagesyouuse,selectsandrunstoolsforeachlanguage,correlatesthefindings,andgivesasinglereport.Itevendeterminesthevulnerabilitystatusofthird-partylibrariesyourcodeuses.WithitsinteractiveVulnerabilityAnalysisandManagementconsole,Stat!letsthosemanytoolsworktogetherasasingle,unifiedcodeanalysisandvulnerabilitymanagementplatform.
FACT SHEET
FEATURE DETAILSOperating system supportWindows(7,8,10&Server2012R2+)MacOSX10.8+Linux(Ubuntu,Fedora,Debian, RHEL,andCentOS)
Language supportC/C++ C#,VB.NETJava Javascript JSP PHPPython RubyScala
IDE supportMSVisualStudioEclipse
Issue tracking supportJIRA
Continuous integration supportJenkins RESTAPI
Version control system supportGit
Third-party software library checkersOWASPDependency-CheckRetire.js
Free & open source SAST tool supportBrakeman CAT.NETPHPMD PHP_CodeSnifferCheckStyle CppCheckFindBugs FxCopGendarme JSHintPMD PylintScalaStyle
Get your application security program started, STAT! Stat!givesyouthepowertostartwritingsecureapplicationsquickly,efficiently,andinexpensively.Launchtheinstaller,andwithintenminutesyou’llbereadytostartanalyzingyourcode.ThenjustloadallofyoursourcecodeintoStat!anditwillfigureoutwhatprogramminglanguagesyouuse,automaticallyselectandruntheappropriatetoolsforfindingflawsandvulnerabilitiesinthoselanguages,reviewyourthird-partylibrariesforknownvulnerabilitystate,thencorrelateandcombinethosevariedresultsintoasingle,unifiedreportonthesecurityandqualityofyourcode.
Theincludedanalysistoolswillhelpyouquicklyprioritizethereportedproblems,anditsintegrationwithsoftwaredevelopmentlifecycle(SDLC)toolsletsyouas-signthemforremediationandcollaboratewiththedeveloperswhoaremakingthefixes.Stat!canevenbecomepartofyourcontinuousintegrationprocess.
SpecificationsCode Dx Stat! canbeinstalledlocallyonadeveloper’sworkstation,oronaserverforgroupcollaboration.TogiveyouthegreatestflexibilityStat!runsonWindows,Linux,andMacOS,andsupportsallmodernbrowsers.
About Code Dx, Inc.CodeDxiscommittedtomakingsecuritypartofthesoftwaredevelopmentprocess,regardlessoforganizationsize.OurfamilyofproductsgrewfromresearchfundedbytheDepartmentofHomelandSecurityScience&Technology(DHSS&T)Directorate,anorganizationdedicatedtosecuringthenation’ssoftwaresupplychain.
CodeDxisproudtobeapartoftheDHSS&TSoftwareAssuranceMarketplace(SWAMP),acollaborativemarketplaceforcontinuoussoftwareassurance.
LEARN MORELearnmoreaboutStat!,downloadanevaluation,orpurchasetheproductbyvisit-ingourwebsite.Exploreotherproducts,includingCode Dx Enterprise — acompre-hensiveplatformforapplicationvulnerabil-itycorrelationandmanagement.Enterprise supportscommercialandopensourcetools,bothSAST(withallthefeaturesofStat!)anddynamic(DAST)tools,compliancestandardmapping,andmuchmore.
6BayviewAvenue,Northport,NY11768-1502www.codedx.com•631.759.3933•[email protected]
KEY FEATURES n Covers multiple programming languages, with over 1,500 configurable security
and quality rulesn Automatically installs, configures, and runs many static code analysis toolsn Checks third-party software component libraries for known vulnerabilitiesn Maps results to the Common Weakness Enumeration (CWE) and industry stan-
dards, including OWASP Top 10 and SANS Top 25 n Combines and normalizes output of multiple SAST tools and third-party vulner-
ability scanners into a single set of results using common nomenclature and a common severity scale
n Merges duplicate results with customizable correlation logicn Aids triage and prioritization of findings with visual analysisn Filters findings for high-level views with detailed drill-down; organizes findingsn Links correlated flaws and vulnerabilities to specific lines of source coden Manages remediation with tools to assign, track, and collaborate on fixes; inte-
grates with the popular JIRA issue tracker to automatically create tickets n Integrates with popular development tools (Eclipse/Visual Studio) to put find-
ings into the hands of developers who can fix them n Integrates with the Git version control system for easy access to your code,
and its historyn Embeds in the Jenkins continuous integration environment to build security
into your process; enables integration to other build servers with its REST APIn Generates CSV, XML, and PDF assessment reports