Secure Decisions developed a tool that combines and correlates identified vulnerabilities from separate analysis tools across various techniques. This makes the process of securing an application far simpler, as the weaknesses found are linked to specific lines of code, and are verified by more than one tool—in other words, it provides your application security team with information that is immediately actionable. The software is vendor-agnostic; it will work with a wide range of tools, both open source and commercial. It even integrates with issue tracking and collaboration tools to make fixing the vulnerabilities you find easier.
Before your application ships, you need to make sure there aren’t any vulnerabilities in its code that can put your business at risk. Static application security testing (SAST) tools are commonly used to find those exploitable weaknesses, so you can ﬁx them before they become vulnerabilities. SAST tools are complex, difficult to use, and don’t work well together; Code Dx makes those tools more effective. Even better, those SAST tools can be paired with dynamic application security testing (DAST) to see which source code weaknesses are actually exploitable. Combining multiple tools and techniques makes your application as secure as it can be, but there just aren’t any tools that do that automatically—at least until we developed Code Dx. Now application security can find a place within any enterprise, regardless of size, and can be used throughout your entire SDLC.
Code Dx Enterprise
Code Dx Enterprise is a software vulnerability management system that consolidates the vulnerabilities found through static source code analysis, dynamic penetration testing, third-party library assessment and manual code review. It includes all the features of Stat! and also works seamlessly to combine, normalize, and remove redundant vulnerabilities found using a wide variety of static and dynamic application testing tools (both commercial and open source) as well as manual analyses. In addition to mapping vulnerabilities to industry standards, future releases of Code Dx Enterprise will identify those vulnerabilities associated with potential violations of regulatory compliance standards, such as the Defense Information Services Agency (DISA) Security Technical Information Guide (STIG) or Payment Card Industry Data Security Standard (PCI DSS). The correlation, normalization, and de-duplication of results from multiple tools produces a consolidated set of results, with greater coverage of potential vulnerabilities and a better assessment of overall software security risk. To learn more visit www.CodeDx.com.
Stat! is a software vulnerability management system focused on static analysis of source code. It oﬀers a suite of preconﬁgured open source static analysis tools that it runs automatically against a code base. Stat! analyzes source code that has been fed into it, selects the appropriate static analysis tool(s) for the languages in which the code is written, and maps the results onto the Common Weakness Enumeration (CWE) for the user. If multiple tools are run, Stat! normalizes the disparate results onto a common severity scale and removes redundant results. It also reports on the vulnerability status of third-party libraries included in the code base. Stat! provides a visual user interface to make it easy and quick to triage and ﬁlter vulnerabilities so that users can ﬁnd and ﬁx the highest priority weaknesses ﬁrst. All the vulnerabilities are mapped to industry standards—such as OWASP Top 10, CWE/SANS Top 25, CERT Java and C/++ Coding Standards, Web Application Security Consortium (WASC)—to guide the prioritization and remediation process. In fact, Stat! supports the assignment and tracking of vulnerabilities to be ﬁxed, and oﬀers remediation guidance through the developer’s Integrated Development Environment (IDE) and through integration with the JIRA issue tracking system. To learn more visit www.CodeDx.com.
Frequently Asked Questions
Code Dx Version 2.4 Documents: