Security Reviewer Static Analysis and Software Composition Analysis license policies are for unlimited users, unlimited clients, unlimited servers, unlimited analyses and unlimited lines of code. Only you have to specify the IP range on which Security Reviewer will run. Buying unlimited licenses includes 1 year of support and maintenance. Additional support and maintenance years must be purchased separately. Special prices will be applied for 3 years or more of additional support and maintenance. A special bid for a limited scans (50, 100 per year) exists only for Static Analisys Analysis Desktop Edition. See: EditionsCode Inspection or Software Composition Analisys FAQ below.

All Security Reviewer software components are made by Security Reviewer itself. Only updated and secured versions 3rd-party libraries are used. See: Open Source Licenses All support and maintenance tasks are provided by Security Reviewer and its Resellers network. No other vendors are involved

We provide a basic Support contract of 8x5, and Glod or Premium of 24x7. Maintenance is always provided with a monthly release update. Patching (part of maintenance) is done for bug fixing with a response time of 8-48 hours for Basic Support and 3-8 hours (3 hours for High, 5 hours for Medium, 6 hours for Normal and 8 hours for Low priority) for Premium support. For further SLA details, please ask to your preferred Reseller

See Compliance Modules

We do not offer Consultancy Services directly to Customers. Beware of false Security Reviewer 'experts'. To ensure Project success, we offer a Certification Program mandatory for every Consultancy Firm using our Products in a Consultancy Project at Customer's site. See Our Certification Program

See Our Reseller Network

Further to our Continuous Integration (CI) (see related FAQ) and IDE Plugins, the following Editions are available:

• Desktop Edition. All features are provided by this Windows Desktop app, SQALE Dashboard and CLI Interface are Included. It is installed on premises and provides both Unlimited and Limited (50, 100, etc.) scans/year.

• Virtual Desktop Edition. All features are provided by this Remote Desktop app, running on Windows, Mac OSx and Linux. SQALE Viewer is Included.

• Developer Edition. Choose one of IDE plugins you want, and you can scan, view results and create reports directly inside your IDE. Windows only.

• Server Edition. Desktop Edition additional module. Shares configurations, False Positives, Exclusions, Results and even encryoted encrypted source code between Desktop Editions. Includes Desktop Edition.

• REST API Edition. A Java CLI Interface run scans, check scan progress and download Results from a REST API on-premises Server

Desktop Edition

Windows:

      Microsoft®Windows 7 10 Professional or newer (Windows 10 includedEnterprise (Home version not supported), Windows 2008 R2 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). 

64 bit environment is suggested for better performances.

      Microsoft®Office 2010 or newer installed (for reporting)

      .NET Framework 4.7.8 2 redistributable preinstalled .

Linux: Same requirements of Server edition

PDF reader (for reporting)

JDK 1.8 or newer preinstalled.

At least 2 with offline installer.

      Oracle JDK 1.8 preinstalled. For further details, please refer to the related chapter below

      Python 3.8 or newer preinstalled

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Linux

       Centos Linux 7.x; or newer, Ubuntu 16.04 or higher, Debian 9 or higher, Fedora 30 or higher, RedHat 7 or higher

      64bit environment is mandatory

      Oracle JDK 1.8 preinstalled. It won’t run with OpenJDK

      Python 3.6 or higher

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB, with at least 300 MB of free disk space during Installation

      1 GB of free C: disk space during running

Virtual Desktop Edition

Host System: Microsoft®Windows , Mac OSx OSX or Linux. No particular configuration is suggested. The application runs in a remote Windows Server. If you need that Server on your premises, it needs the same configuration of Server Edition

Developer Edition

Same configuration of Desktop Edition, with one of IDE Plugins installed.

Server Edition

Windows: Windows 2008 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). .NET Framework 4.8 redistributable preinstalled. IIS 7.5 or newer for WCF

Linux:

• Centos 7/8

• Ubuntu 16.04/18.04/19.04/19.10/20.04 both server and desktop

• Fedora 21 or newer

• SuSE Linux Enterprise 12 or newer

• RedHat RHEL 7 or newer

Mac:

• Mac OSx 10.11 “El Capitan” or newer

JDK 1.8 or newer preinstalled.

Minimum RAM required by Host System.

REST API Edition

Same configuration of Server Edition with additional Apache Tomcat 9 installed.

See Infrastructure

See Infrastructure

See Our Indipendent Advisors Network

When a Security Vulnerability is detected, a number of detailed Attributes is provided.

See this video:

Legend:

Q. Can Static Analysis provide per-component results?

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results by Component, Outsourcer and/or Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

Q. When Analysis ends, is there a notification service?

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Q. Which Analysis results output formats are supported?

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Chain.

Q. May I suppress a vulnerability?

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports. See False Positives and False Negatives

Q. In Static Analysis, may I create custom Security Rules?

You can exclude some Security Rules from the Static Analysis, between the ones available, or you can create new Security Rules using the Cigital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Q. Which Development IDE are supported?

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Unique Data used by our CI Plugins is about External Sources used in Software Composition Analysis. Such Data will be stored temporary in an H2 database and refreshed automatically. No need of backup or maintenance

Only Software Composition Analysis CI Plugin requires access to Internet, for accessing to External Sources. An internal Proxy Server belonging to your organization can be used. It must be configured inside your CI Platform:

• Jenkins behind a Proxy

• Bamboo Proxying

Software Composition Analysis (SCA) CI Plugin supports various Package Managers. See Package Managers.

For both Static Analysis and Software Composition Analysis Ant, Maven, Gradle plugins are available.

See Our Indipendent Advisors Network

Yes. We analyze both System Libraries and Libraries/Frameworks used in applications. See Containers Security for further details

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Our CI Plugins integrate with Issue Tracking in two different ways:

• via available plugins in your CI Platform (JIRA, BugZilla, GitHub Issues, etc.) . See Issue Tracking in https://plugins.jenkins.io/ and https://marketplace.atlassian.com

• via CLI Interface and REST API. See our EcoSystem

Yes, the SonarQube and ThreadFix integrations are natively supported. Other dashboard support is provided via OWASP Dependency Track. See Dashboards

Firmware Reviewer executes both Static and Dynamic Analysis. After extracting the bootloader and file system from the image, the Static Analysis consists on executing a Task List, which includes checking of OS, system libraries, 3rd-party libraries, executables and scripts against CVE and Exploit databases to find known vulnerabilities. Scripts source code is also submitted to Security Reviewer’s SAST module to verify OWASP, WASC and CWE vulnerabilities checks. It will reveal also Visible configuration, IPs, e-mails, URIs, Visible Services, Unwanted Programs, and Compliance Issues. Dynamic Analysis consists in Device Emulation and in applying attacker patterns to the firmware image. Dynamic Analysis execute also Hardening Compliance test and other tests like Malware Scanning, using an embedded version of Metaesploit against our own collection of rules. See Malware related question below.

Firmware Reviewer Emulate a device using an our own enhanced version of QEMU. For complex firmwares it can execute a Partial emulation (bootloader and init system) and install a Bootloader Agent /wiki/spaces/KC/pages/1455980582 in the firmware bootloader, in order to manage encrypted firmware and gain access to login credentials. It will increase the Dynamic Analysis comprehensiveness and accuracy.

Firmware Reviewer provides a Plugin Developer’s Kit as well as REST API /wiki/spaces/KC/pages/1406631937 interface. External tools are orchestrated within dedicated plugins, and, in case of external systems, through REST API. Results are automatically correlated in a unique report.

Firmware Reviewer makes use of Security Reviewer’s SAST native module to analyze source code found inside the firmware image: shell scripts, python, php, lua, javascript, etc. in order to verify OWASP, WASC and CWE vulnerabilities checks.

Using our Bootloader Agent /wiki/spaces/KC/pages/1455980582, the users with empty or default passwords will be automatically monitored by Firmware Reviewer. At Emulation runtime, when a service is accessed using the real credentials, the Bootloader Agent /wiki/spaces/KC/pages/1455980582 will track it and will try to use such real credentials to login. Firmware Reviewer never access to physical devices, emulating them only.