The Department of Homeland Security (DHS) reports that up to 90% of cyber incidents are traceable to software flaws that were exploited by attackers.
Yet, cyber security has focused primarily on network security and less on securing the software that resides on networks and poses risks.
DHS believes that the nation’s software supply chain is jeopardized when the applications used in our critical infrastructure have not been adequately tested for security vulnerabilities and those vulnerabilities remediated.
There are numerous application security testing (AST) tools that help software developers and security analysts find vulnerabilities during all stages of the software development lifecycle.
Static AST (SAST) are used to find vulnerabilities in source code, while dynamic AST (DAST) perform automated penetration testing on code while it is running.
Despite the prevalence of these tools, many developers and security analysts simply don’t use these AST tools as prescribed because of cost and operational obstacles.
These obstacles include:
- Difficulty in building security testing directly into the software development or DevOps process
- High cost of using multiple tools
- Weeks of manpower needed to combine and correlate the findings from multiple testing tools into one format for easy remediation and reporting, and
- Weeks of time prioritizing thousands of vulnerabilities, so that the most critical and those non-compliant with government regulations get fixed first
(Code Dx® is a software assurance analytics tool that consolidates and normalizes software vulnerabilities detected by multiple code analysis tools. Its visual analytics help to triage and prioritize software vulnerabilities for efficient remediation. Courtesy of Brianne OBrien and YouTube)
Code Dx Enterprise helps to secure our software supply chain by providing an easy-to-use and affordable application vulnerability management solution that helps organizations overcome these obstacles that are deterrents to using AST tools.
It automates many of the manpower-intensive activities needed to run application security testing tools, consolidate the results and prioritize vulnerabilities based on industry and regulatory standards.
The result of using Code Dx Enterprise is greater vulnerability coverage and a better assessment of overall software security risk.
Code Dx Enterprise automatically runs up to 15 pre-configured open source static analysis tools, saving significant labor costs and time.
The user feeds his or her code into Enterprise and it figures out which languages the code is written in, then selects the appropriate pre-configured tools, runs them, and outputs the discovered vulnerabilities in an easy-to-understand report.
It also automatically checks the vulnerability status of third-party libraries that may be built into the code.
Enterprise then automatically consolidates the findings of these pre-configured tools with the vulnerabilities found by other commercial or open source static and dynamic tests, and through manual code reviews; and then removes duplicates.
(Watch and Learn… The award-winning Code Dx solution integrates the results of multiple static and dynamic Application Security Testing (AST) tools and manual reviews into a consolidated set of results for quick and easy triage, prioritization and remediation. Courtesy of Code Dx and YouTube)
It also maps all the findings to industry and government standards, so that the user can rapidly see which vulnerabilities are potential violations of HIPAA, PCI or DISA STIG regulations.
Additionally, it can be used when source code is not available to the security analyst by doing its work using the results from just DAST (i.e. automatic penetration testing conducted while the code is running).
Finally, Enterprise does its work within the integrated development environment, so developers and security analysts can conduct their security tests and remediate the problems within their normal workflow.
Code Dx Enterprise Key Features – Extends software vulnerability management to include results of hybrid application security testing techniques: static, dynamic and manual analyses
- Includes all of the features in Stat!
- Enables manual entry of independently identified weaknesses, for example, from manual code reviews
- Integrates the results from multiple commercial static source code analysis testing tools – see a list of commercial SAST tools that Code Dx supports.
- Provides support for several dynamic application security testing tools – see a list of open source and commercial DAST tools that Code Dx supports.
- Combines and normalizes the output of SAST and Dynamic Application Security Testing (DAST) tools, third-party vulnerabilities and manual findings into a consolidated set of results on a common severity scale
- New Tool Connectors allow configuration and integration with third-party analysis tools (such as WhiteHat Sentinel and Checkmarx CxSAST), providing automatic incorporation of tool results into the Code Dx Enterprise analysis resultset
Code Dx Enterprise differentiates itself from its competitors on ease of use, affordability, the number and types of static and dynamic testing tools supported, and seamless integration into software development environments.
It is priced on a simple per-user license and is not based on number of applications nor number of lines of code like some competitor products.
It runs on standard application hardware; supports Windows, Mac and Linux; and does not require any special requirements for deployment.
Code DX at a Glance
The technology underlying this solution was initially developed as part of a DHS-funded R&D project to make is easier to conduct and analyze multiple application security tests through the development lifecycle, and reduce the barriers to securing the software supply chain.
The people working on this R&D started Code Dx, Inc. to mature the technology into the commercial product now known as Code Dx Enterprise.
“Application security is rapidly growing as more organizations recognize the significant risks that software vulnerabilities pose to their enterprise,” explains Anita D’Amico, Ph.D., CEO for Code Dx.
“Code Dx automates and supports many of the resource-intensive aspects of finding, analyzing and triaging vulnerabilities, then tracking their remediation.”
“We make it easy and affordable for users to find vulnerabilities with multiple application security testing (AST) tools, prioritize the vulnerabilities based on regulatory compliance and industry standards and manage their remediation.”
Customers include defense contractors, state and federal government agencies, large financial institutions, and health care systems. They see Code Dx as a valuable addition to their existing investments in Application Security Testing (AST).
Code Dx increases the value of their commercial tool chest with the addition of results from open source tools.
It also enables enterprises to augment their application security testing program by economically distributing AST tools to a broader audience of developers in their organization while maintaining commercial AST tools within their quality assurance and security analysis functions.
With this seamless integration and use of open source and commercial AST tools through Code Dx, security reviews are performed earlier and more frequently in the software development lifecycle, reducing the time to develop and secure production-ready software and decreasing organizational application security risk.
The core technology was partially funded by Department of Homeland Security Science & Technology (DHS S&T) to help secure the nation’s software supply chain.
During this webinar, Code Dx CTO, Ken Prole, will tell you all you need to know about application security with a focus on securing government systems.
The Code Dx website provides additional information on Code Dx Enterprise, key features, why to use it, who should use it (security analysts, CISOs, software developers, software QA engineers, etc.), supported tools and languages and information on future releases, including the addition of Hybrid Application Security Testing (HAST).
Code Dx Enterprise in 2017 ‘ASTORS’ Homeland Security Awards Program
The 2017 ‘ASTORS’ Homeland Security Awards Program, organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’