Easier Detection and Faster Triage of Software Vulnerabilities for Developers, Security Auditors, and Compliance Officers
- Code Dx is a Software Assurance (SwA) tool with a new approach to combating the growing cyber threat to software source code
- Code Dx consolidates and normalizes vulnerabilities detected by several different code analysis tools, as opposed to the current norm of relying on just one tool
- Code Dx provides an interactive visual analytics user interface that helps Developers, Security Auditors, and Compliance Officers to triage and prioritize software vulnerabilities for effective remediation
- Code Dx research and development was funded by the Department of Homeland Security (DHS), Science & Technology (S&T) Directorate
NORTHPORT, NY, November 15, 2013 – Secure Decisions, the cyber security division of Applied Visions, Inc., today announced the release of Code Dx™ v1.0, a software assurance analytics tool that consolidates and normalizes software vulnerabilities detected by multiple code analysis tools. Its visual analytics help to triage and prioritize software vulnerabilities for efficient remediation. Kevin Greene, Software Assurance Program Manager of DHS S&T Directorate, which funded the initial development of Code Dx, said, “Code Dx provides a way to express weaknesses and vulnerabilities in software in a meaningful and consistent way.”
Benchmarking studies reveal that if you scan source code with only one application security tool, you will fail to detect most of the vulnerabilities in your source code. To find most of the vulnerabilities – to get good “vulnerability coverage” – you need to run several tools and combine the results. Code Dx consolidates the results of multiple tools, normalizes the results to the same severity rankings, and visualizes the results in a unified picture.
“With the innovation Code Dx provides, organizations can now leverage the strength of each tool to improve code coverage and the accuracy of analysis results. By using the sum of many versus the sum of ‘one’ approach, gains can be realized in the area of precision and soundness, where Code Dx provides the contextual relationship amongst analysis results to help reduce false-positives and improve the visibility into false-negatives. This is an area of innovation that helps improve the techniques, services, and methods used in software quality assurance tools,” said Kevin Greene of DHS S&T
The Code Dx Standard Edition (SE) embeds and automatically runs open source static application security testing (SAST) tools, combines, correlates, and normalizes their results, and provides the user with a visual interface for viewing and prioritizing those results. Its advanced filtering capability allows users to focus on the highest priority software weaknesses first, streamlining the triage and remediation of detected software vulnerabilities. It is designed to remove some of the most prominent barriers to the use of static source code analysis tools: time to get started, complexity, and expense. Code Dx Standard Edition is a low cost and practical first step towards establishing a software assurance program within an organization.
“90% of security incidents can be traced back to vulnerabilities in software. Yet, many developers and security analysts don’t use application security testing tools because they are too expensive, too hard to use, or too hard to interpret. We decided to address those problems by offering an inexpensive system that automatically runs a set of software vulnerability scanners for you, visualizes the results, and provides an interface through which developers and security analysts can share information,” said Dr. Anita D’Amico, Director of Secure Decisions, developers of Code Dx.
The Code Dx Enterprise Edition (EE) extends the value of your existing software assurance program by providing all of the features and SAST tools of Standard Edition integrated with your existing analysis toolset. It will automatically select and run the open source tools suitable for your codebase; then Code Dx EE combines them with results from the commercial tools you have already invested in, e.g. HP Fortify 360 and Armorize CodeSecure. It provides an efficient method for running and combining the results of multiple open source and commercial SAST tools. The correlation and normalization of these results produces a consolidated set of results that provides greater coverage of potential vulnerabilities in the source code, and a better assessment of overall enterprise risk. Code Dx EE is an essential addition to a maturing software assurance program.
“Code Dx allows organizations to leverage their investment in existing commercial SAST tools while allowing the adoption of open-source SAST tools for software assessment activities,” said Kevin Greene of DHS S&T.
Code Dx 1.0 provides:
- Coverage – Finds more important vulnerabilities in your source code
- Efficiency – Saves remediation time and resources
- Communication – Visualizes results to share up and down the reporting chain
- Ease-of-use – Is quick and affordable to use
Whether an organization is implementing a new software assurance program or maintains an established and maturing program, Code Dx Standard and Enterprise editions provide great utility and benefits in both environments. Its broad software vulnerability coverage, normalization and prioritization of results, intuitive user interface, relevant reports, and affordability make it an excellent choice for all software assurance analysis environments.
Code Dx Standard Edition version 1.0 and Code Dx Enterprise Edition version 1.0 are now available worldwide.
Code Dx Free 30-Day Trial:
To download a trial of the Code Dx Standard Edition, please visit:
To learn more about Code Dx™, visit:
To learn more about the DHS Science & Technology research and technologies to protect the homeland, visit http://www.dhs.gov/st-directorate-organization.
6 Bayview Avenue
Northport, NY 11768
About Applied Visions and Secure Decisions
Secure Decisions was launched as a division of Applied Visions, Inc. (AVI) in 2000 to focus on cyber security and homeland security research and products. Today, Secure Decisions is a leader in security visualization with an established track record of R&D contracts, technology transition, and product development. Secure Decisions’ technologies are used to enhance the situational awareness of software developers and security professionals in government and commercial organizations. Code Dx®, VIAssist™, and MeerCAT® are among Secure Decisions’ extensive portfolio of cyber defense solutions. For more information, please visit www.securedecisions.com.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective parties.