Code Dx, the Platinum Award Winner in the 2017 ‘ASTORS’ Homeland Security Awards Program for Best Cyber Security for Application Management, is pleased to announce Code Dx Enterprise has been nominated to compete in the 2018 ‘ASTORS’ Awards Program.
“Application security testing (AST) has become a necessity as the application layer is now the most common attack vector,” explains Anita D’Amico, Ph.D., CEO of Code Dx.
According to the Department of Homeland Security (DHS), up to 90% of cyber incidents are traceable to software flaws that were exploited by attackers.
There are many AST tools and techniques (i.e. static, dynamic, hybrid) to help software developers and security analysts find vulnerabilities during all stages of the software development lifecycle, but the truth is, there is no one tool that will catch every weakness.
Developers need to, and do, use many tools to secure their applications.
Additionally, despite the prevalence of so many AST tools, many developers and security analysts simply don’t use these tools as prescribed because of cost and operational obstacles.
These obstacles include:
- Difficulty in building security testing directly into the software development or DevOps process
- High cost of using multiple tools
- Weeks of manpower needed to combine and correlate the findings from multiple testing tools into one format for easy remediation and reporting, and
- Weeks of time prioritizing thousands of vulnerabilities, so that the most critical and those non-compliant with government regulations get fixed first.
Code Dx, Inc. understands these challenges, and developed the Code Dx Enterprise Application Vulnerability Manager to help secure the software supply chain by providing an easy-to-use and affordable application vulnerability correlation and management solution, enabling organizations to overcome these obstacles that are deterrents to using AST tools.
This breakthrough product automates many of the manpower-intensive activities needed to run AST tools, consolidates the results, and prioritizes the reported vulnerabilities based on industry and regulatory standards.
“Our Application Vulnerability Manager, Code Dx Enterprise, helps secure the software supply chain by providing an easy-to-use and affordable application vulnerability correlation and management solution that enables organizations to leverage the power of multiple open-source and commercial AST tools, added Dr. D’Amico.
“With Code Dx Enterprise, organizations achieve greater vulnerability coverage, and a better assessment of overall software security risk, in less time, and with fewer resources.”
(See Code Dx CTO, Ken Prole, tell you all you need to know about application security with a focus on securing government systems. Courtesy of Code Dx and YouTube)
In an environment where skilled security analysts and developers are in short supply, “doing more with less” is a must – the breakthrough in Code Dx Enterprise is this ability to amplify the effects of an AppSec teaming of people and tools to achieve higher-value results in less time, with less effort.
Code Dx Enterprise takes in reports of vulnerabilities produced by a wide range of commercial and open-source static and dynamic tools, together with those found by manual code reviews, automatically correlates them, and removes duplicates.
It also automatically checks the vulnerability status of third-party libraries that may be built into the code.
Results are easily prioritized and, through Jira integration, assigned for remediation.
It even maps findings to industry and government standards, so organizations can identify vulnerabilities that are potential violations of HIPAA, PCI, or DISA STIG regulations.
Finally, Enterprise exposes its work to developers from within their integrated development environment, so developers and security analysts can work together to conduct their security tests and remediate the problems within their normal workflow.
In April 2018, the company released Code Dx Enterprise 3.0, which now offers Hybrid Analysis Mapping capabilities, bridging mappings between static and dynamic software analysis tools for improved vulnerability prioritization.
This new capability correlates the results of SAST and DAST tools enabling users to see which of the source code weaknesses are actually exploitable from the perspective of an external attacker.
With the perspectives and techniques used by SAST and DAST tools being very different, this ability to combine the outside-in approach of DAST tools with the inside-out approach of SAST tools makes it easy for users to see the most critical true positives that need to be fixed first.
With hybrid analysis users are able to see where to apply their resources to fix real problems in code that are, without question, exploitable by an attacker.
And because Code Dx automates the process, organizations save days, sometimes weeks, of time that application security analysts would have spent doing it manually.
The technology underlying this solution was initially developed as part of a DHS-funded R&D project to make is easier to conduct and analyze multiple application security tests through the development lifecycle, and reduce the barriers to securing the software supply chain.
The people working on this R&D started Code Dx, Inc. to mature the technology into the commercial product now known as Code Dx Enterprise.
While the industry is working hard to deliver a greater diversity of powerful AST tools, Code Dx Enterprise differentiates itself by focusing on making those tools work together to produce actionable results more quickly, with less effort.
With seamless integration into software development environments, it brings developers and security analysts together into an effective team.
Customers see Code Dx Enterprise as a valuable multiplier of their existing investments in AST.
Code Dx increases the value of their commercial tool chest with the addition of results from open source tools.
It also enables enterprises to augment their application security testing program by economically distributing AST tools to a broader audience of developers in their organization while maintaining commercial AST tools within their quality assurance and security analysis functions.
With this seamless integration and use of open source and commercial AST tools through Code Dx, security reviews are performed earlier and more frequently in the software development lifecycle, reducing the time to develop and secure production-ready software and decreasing organizational application security risk.
Customers of Code Dx include defense contractors, state and federal government agencies, large financial institutions, and healthcare systems.
Turn your black box into a glass box
Even when you’re doing the right thing (by that we mean testing your application’s security), it’s hard to tell what you’re actually checking.
When you run an automated testing tool, you’re given a list of results at the end, and you have to trust that it’s tested as much as necessary (which is one of the reasons why we so strongly recommend using more than one tool).
There really is no good way to quickly and easily track how much of your application’s attack surface has actually been tested—and how exposed some of it might be.
Code Pulse provides a straightforward, visual illustration of your application’s attack surface, and how your penetration testing interacts with it.
Even better, it functions in real-time, while your application is active, so you can tell exactly what parts of your code are covered by the penetration test—and what parts aren’t.
Know your tools
Code Pulse shows you exactly which parts of the application is covered by each tool, so you can see where there are overlaps—and, more importantly, where there are gaps.
This helps you understand whether or not you need to add different tools to your testing process, or evaluate new ones for future projects.
If you don’t know your tools, you can’t test well—and if you can’t test well, you definitely can’t secure your application.
Key features of Code Dx Enterprise
- Automatically combines and correlates the output from multiple tools and manual findings into a single set of results
- Supports commercial SAST, DAST, and IAST tools
- Includes bundled SAST tools to get you started
- Checks your codebase against regulations such as HIPAA
- Manages remediation with tools to assign and track vulnerability fixes
- Integrates with the JIRA issue tracking tool
- Integrates with popular development environments (like Eclipse) so developers can more easily fix them
- Embeds in continuous integration environments to streamline your process
- Integrates with other build servers with its REST API
- Supports XML input for integration with custom or proprietary analysis tools
- Provides results in SIEM format for analysis by your network security team
- Generates reports in a variety of formats
- Checks your third-party components for vulnerabilities with Software Composition Analysis tool support
- Maps vulnerabilities to the Common Weakness Enumeration
Key benefits of Code Dx Enterprise
You get more effective software testing when you combine multiple tools and techniques with Code Dx Enterprise:
- Better vulnerability coverage
- Fewer false positives
- No duplicate results
Code Dx Enterprise saves you time and resources:
- Automate the tedious and lengthy process of combining multiple outputs
- Automate the expensive, labor-intensive task of correlating the results until you’re left with actionable data
- Automatically select and run a collection of open-source SAST tools and third-party library analyzers against your code
Code Dx Competes in 2018 ‘ASTORS’ Homeland Security Awards Program
- Platinum ‘ASTORS’ Award Winner
- Code Dx Enterprise Software Assurance Analytics Tool
- Best Cyber Security for Application Management
AST focuses on Homeland Security and Public Safety Breaking News, the Newest Initiatives and Hottest Technologies in Physical & IT Security, essential to meeting today’s growing security challenges.
The 2018 ‘ASTORS’ Homeland Security Awards Program, is organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, Border Security, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.
As an ‘ASTORS’ competitor, the Code Dx will be competing against the industry’s leading providers of Innovative Cyber Security Solutions.
To Learn More about the ‘ASTORS’ Homeland Security Awards Program, see 2017 ‘ASTORS’ Homeland Security Award Winners Honored at ISC East.
Over 100 distinguished guests from National, State and Local Governments, and Industry Leading Corporate Executives from companies allied to Government, gathered from across North America and the Middle East to be honored from disciplines across the Security Industry in their respective fields which included representatives from:
- The Department of Homeland Security
- The Department of Justice
- The Security Exchange Commission
- State and Municipal Law Enforcement Agencies
- Leaders in Private Security