More than 90% of computer security incidents can be traced back to weaknesses in software that were inadvertently put there when the code was developed. Attackers can – and very often do – find and exploit such weaknesses as a means to attack your enterprise applications.
Before you ship or procure another software application, you need to assess if weaknesses in its source code put your enterprise at risk. Static application security testing (SAST) tools are commonly used to find those exploitable weaknesses, so you can fix them before they become vulnerabilities. SAST tools are complex, difficult to use, and don’t work well together; Code Dx makes those tools more effective. What many do not know is that SAST tools are specialized, and each tends to focus on just a subset of the universe of possible weaknesses; they fail to report a significant portion of weaknesses in the code they analyze. The Center for Assured Software’s 2010 benchmarking study revealed that the average SAST tool covers only 8 of 13 weakness classes, and finds only 22% of the flaws in each weakness class. So your average SAST tool is likely to find only 14% of the vulnerabilities in your code. The interesting aspect of this is that each tool tends to find different classes of weaknesses: there is little overlap between the results of different tools.
Therefore secure coding best practices call for running multiple SAST tools against a code base, and combining the results for optimal coverage. The problem is that the tools are not at all coordinated: each produces its reports of weaknesses using different naming conventions and severity ratings. So it’s really difficult to combine and compare the vulnerabilities found by these multiple tools.
Secure Decisions’ Code Dx Software Assurance (SwA) Visual Analysis Tool visualizes and correlates weaknesses in software. It increases coverage and confidence in the results of multiple tools; facilitates vulnerability prioritization based on code context; provides developer traceability and trends analysis for process improvement; and integrates with the Software Development Life Cycle (SDLC) for quick and effective remediation.
Software Assurance Visual Analysis Tool
Secure Decisions’ Code Dx Visual Analysis Tool visualizes and correlates weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. The tool is aligned with the emerging concept of a vendor-agnostic Software Assurance ecosystem. Software weakness findings from a variety of tools and development environments are reported in a standardized form, shielding the user from product-specific idiosyncrasies and semantic differences. The Visual Analysis Tool’s multi-faceted visualizations provide investigative flexibility to pinpoint high priority problem areas within the analyzed codebases. SDLC integration is automated to augment the analysis with weakness traceability as well as significantly speeding-up remediation by automating issue-creation and tracking. The tool’s ability to bridge SwA analysis to the SDLC, by interfacing with existing SwA analysis tools on one end and with SDLC tools on the other, streamlines the SwA analysis process to maximize analysis and remediation effectiveness resulting in improved software robustness and trustworthiness.
Code Dx Standard Edition (SE)
Code Dx Standard Edition (SE) is a software vulnerability management system focused on static analysis of source code. It offers a suite of preconfigured open source static analysis tools that it runs automatically against a code base. Code Dx analyzes source code that has been fed into it, selects the appropriate static analysis tool(s) for the languages in which the code is written, and maps the results onto the Common Weakness Enumeration (CWE) for the user. If multiple tools are run, Code Dx normalizes the disparate results onto a common severity scale and removes redundant results. It also reports on the vulnerability status of third-party libraries included in the code base. Code Dx provides a visual user interface to make it easy and quick to triage and filter vulnerabilities so that users can find and fix the highest priority weaknesses first. All the vulnerabilities are mapped to industry standards—such as OWASP Top 10, CWE/SANS Top 25, CERT Java and C/++ Coding Standards, Web Application Security Consortium (WASC)—to guide the prioritization and remediation process. In fact, Code Dx supports the assignment and tracking of vulnerabilities to be fixed, and offers remediation guidance through the developer’s Integrated Development Environment (IDE) and through integration with the JIRA issue tracking system. To learn more visit www.CodeDx.com.
Code Dx Enterprise Edition (EE)
Code Dx Enterprise Edition (EE) is a software vulnerability management system that consolidates the vulnerabilities found through static source code analysis, dynamic penetration testing, third-party library assessment and manual code review. It includes all the features of Code Dx SE, and also works seamlessly to combine, normalize and remove redundant vulnerabilities found using a wide variety of static and dynamic application testing tools (both commercial and open source) as well as manual analyses. In addition to mapping vulnerabilities to industry standards, future releases of Code Dx EE will identify those vulnerabilities associated with potential violations of regulatory compliance standards, such as the Defense Information Services Agency (DISA) Security Technical Information Guide (STIG) or Payment Card Industry Data Security Standard (PCI DSS). The correlation, normalization and de-duplication of results from multiple tools produces a consolidated set of results, with greater coverage of potential vulnerabilities and a better assessment of overall software security risk. To learn more visit www.CodeDx.com.
Code Dx has been named a leader in Cyber Security software. Check out the many awards that have been accredited towards the software vulnerability management category. [Read more]
Frequently Asked Questions
- ›What open source static code analysis tools does Code Dx Standard (and Enterprise) Edition provide support for?
See a list of our SAST tools in our support section.
- ›What are the hardware and software requirements for installing Code Dx?
- Dual-core CPU
- 4GB of RAM or better
- 10 GB hard-disk or better, SSD recommended
- Windows (7+ and Server 2012 R2+), or Mac OS X 10.8+, or Linux (Ubuntu, Fedora, Debian, RHEL, and CentOS). These are the platforms on which Code Dx has currently been tested.
Client Browser requirements:
- Internet Explorer 11+
- Chrome 12+
- Firefox 8+
- Safari 5+
- ›Does Code Dx require a dedicated server?
No. Code Dx is a Java based tool that can reside on an existing web server. A dedicated server is not needed. Code Dx can also reside on a virtual machine. Whatever configuration works best for your environment with the obvious tradeoff that better hardware will offer the best analysis performance.
- ›What open source static application security testing tools come bundled with Code Dx?
See a list of our SAST tools in our support section.
- ›What versions of the Eclipse platform does Code Dx support?
Juno (v4.2), Kepler (v4.3), Luna (v4.4) Mars (v4.5) and Neon ( v 4.6).
About Code Dx
- ›What commercial static code analysis tools does Code Dx Enterprise Edition support?
Tools such as:
- HP Fortify 360 Static Code Analyzer
- IBM AppScan
- GrammaTech CodeSonar
- Parasoft JTest
- Parasoft DotTest
- Parasoft C++Test
- Armorize CodeSecure
- WhiteHat Sentinel
- ›What specific programming language does Code Dx support?
See all supported languages.
- ›What are the inputs to Code Dx?
- ›How are tool vulnerability severities presented in Code Dx?
Our Engineering Team has performed a complete analysis of multiple static source code analysis tools to determine how vulnerabilities are categorized and presented. Each tool has different ways of representing the severity of the vulnerabilities and weaknesses found. Some tools employ scales from 1 to 10 for example, where 1 means “severe”. Other tools use scales from 1 to 5 where 5 means “severe”. Still other tools employ the use of text based categories from “nuisance” to “critical”. Code Dx compares all severity categories from these tools and has established severities that are normalized and mapped to Critical, High, Medium, Low and Info severity categories.
- ›How do I drill down to see the line of code that has a particular vulnerability?
Code Dx has a drill-in capability by clicking on the specific vulnerability within the triage list. This brings the user to a detailed weakness analysis page where the user is presented with the specific line(s) of code affected by the vulnerability. It also displays any other weaknesses found for the specified line of code and offers detailed explanations of the weakness (through the CWEVis.org and various MITRE CWE-friendly websites), as well as mechanisms for real-time collaboration with fellow analysts, auditors and developers in an effort to help the user update code to remediate the particular weakness.
- ›Are there any ways of looking just at the new analysis results and filtering out old results?
Yes, filters can be applied to the list of findings to only display “new” findings since the last analysis run. In addition, filters can also be applied to findings that were fixed using the “gone” filter, which are those findings that did not occur in the latest analysis.
- ›How do I determine fidelity in my analysis when it comes to false positives?
As a user goes through the triage process, the user determines that a particular vulnerability is a false positive. This is not an automatic process. When applicable there are bulk operations that can be performed to flag several findings as false positives. These bulk operations help to streamline the triage process. Any finding identified in future analysis runs that has already been identified as a false positive will automatically be marked as a false positive in new analysis runs.
- ›What issue tracking tools does Code Dx integrate with?
Code Dx currently integrates with JIRA, the popular software development issue and bug tracking tool used by agile software development teams.
- ›What continuous integration servers does Code Dx integrate with?
Code Dx currently integrates with the Jenkins extensible open source continuous integration server.
- ›What Dynamic Application Security Testing (DAST) tools does Code Dx provide support for?
Currently Code Dx provides support for the following tools: HP Webinspect, IBM AppScan, Acunetix, Arachni, Burp Suite, Netsparker, OWASP ZAP, Veracode and WhiteHat Sentinel Dynamic.
- ›Where does my source code and vulnerability analysis results reside? Is my source code stored in the cloud?
The open-source tools that we bundled are contained within Code Dx. There is no cloud/SAS version of Code Dx and the tools that we bundle also do not reside in the cloud. They are all local to your installation. The only tool that reaches out to the internet (if available) is Dependency-Check to pull in the latest CVEs from NIST’s National Vulnerability Database (NVD). All your source code and analysis results remain within your network, under your control.
- ›What software compliance industry standards does Code Dx support?
Code Dx currently supports the following standards: Open Web Application Security Project (OWASP) Top 10, CWE/SANS Top 25, Software Fault Patterns (SFP), Seven Pernicious Kingdoms (7PK), CERT Coding Standard, Web Application Security Consortium (WASC), Comprehensive, Lightweight Application Security Process (CLASP), Defense Information Security Agency (DISA) Security Technical Information Guidelines (STIGs), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS (EE only)).
- ›How much does it cost to get a software assurance program started with Code Dx in my company?
You can kick-start your company’s software assurance program with Code Dx for as little as $2,500. Code Dx Standard Edition provides support for a dozen open source bundled SAST tools. A 5-User annual license is only $2,500 per year with no limit on the number of projects or lines of code that Code Dx can evaluate!
- ›Can Code Dx scan third-party software components?
- ›How do I obtain Code Dx Enterprise Edition for evaluation?
That’s easy. Just go to our website and request an evaluation of Code Dx and then call or email us to let us know you are interested in evaluating the Enterprise version. We will generate and send you a new Enterprise evaluation license key that will unlock the Enterprise features within your Code Dx software.
- ›What version control system does Code Dx support?
Code Dx currently integrates with the Git version control system, a free and open source distributed system designed to handle everything from small to very large projects. If you are using a tool like IBM Clearcase and Jenkins for a build server, Jenkins can pull the source code from Clearcase, run your build, and then send results to Code Dx.
- ›Can the Code Dx Server use our domain/LDAP for authentication or does it use its own?
Code Dx can use your own Active Directory or LDAP. Alternatively, you can create local code Dx users as well.
- ›Regarding the developer plug-ins, are there scanning capabilities for the source code the developers are working on?
The IDE plugins do allow developers to analyze their source code using our bundled open-source tools as they are developing, prior to them committing to source control. With a single click, the code is sent to the Code Dx server, the bundled tools are run, and the developer sees their results in their IDE. Those results are shared with the rest of the team, although if they want, a developer can create their own Code Dx project that acts like their own sandbox. See our blog on our IDE integration. For commercial tools, those results will still appear within the IDE, but they have to be run independent of Code Dx.
- ›Is it possible to add custom tool rules to Code Dx?
The Enterprise version allows you to give Code Dx the results from custom tools. You would need to convert the unsupported tool output file into our command Code Dx file format. Examples of this are available in your evaluation – see the “Code Dx XML Schemas and Examples” in the drop-down menu located to the right of the question mark help icon. For adding rules to a bundled tool like PMD, Code Dx Enterprise takes in the result of PMD, so if you run PMD on your own, Code Dx would be able to read in the results. Any custom rules would still appear in Code Dx, including on the rule configuration page.
What’s new in Code Dx 2.0?
Code Dx on Binami
Introduction to Application Security
2014 R&D Technical Workshop: Code Ray – Hybrid Application Security Testing & Compliance Mapping
Code Dx Version 2.0.0 Documents:
If you are interested in obtaining a trial version of Code Dx™ or have any questions related to the technology, please visit our Code Dx website or contact us at Trial@CodeDx.com or call 631-759-3993.