...
Expand |
---|
Security Reviewer Static Analysis and Software Composition Analysis license policies are for unlimited users, unlimited clients, unlimited servers, unlimited analyses and unlimited lines of code. Only you have to specify the IP range on which Security Reviewer will run. Buying unlimited licenses includes 1 year of support and maintenance. Additional support and maintenance years must be purchased separately. Special prices will be applied for 3 years or more of additional support and maintenance. A special bid for a limited scans (50, 100 per year) exists only for Static Analisys Analysis Desktop Edition. See: EditionsCode Inspection or Software Composition Analisys FAQ below. |
Q. Do Security Reviewer products require hardware components?
...
Expand |
---|
All Security Reviewer software components are made by Security Reviewer itself. Only updated and secured versions 3rd-party libraries are used. See: Open Source Licenses All support and maintenance tasks are provided by Security Reviewer and its Resellers network. No other vendors are involved |
...
Expand |
---|
We provide a basic Support contract of 8x5, and Glod or Premium of 24x7. Maintenance is always provided with a monthly release update. Patching (part of maintenance) is done for bug fixing with a response time of 8-48 hours for Basic Support and 3-8 hours (3 hours for High, 5 hours for Medium, 6 hours for Normal and 8 hours for Low priority) for Premium support. For further SLA details, please ask to your preferred Reseller |
Q. Which Programming Languages are supported?
...
Q. What about Compliance?
Expand |
---|
Q. How can I submit an Enhancement Request?
...
Expand |
---|
We do not offer Consultancy Services directly to Customers. Beware of false Security Reviewer 'experts'. To ensure Project success, we offer a Certification Program mandatory for every Consultancy Firm using our Products in a Consultancy Project at Customer's site. See Our Certification Program |
Q. How can I contact a Distributor?
Expand |
---|
Code Inspection FAQ
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Expand |
---|
Further to our Continuous Integration (CI) (see related FAQ) and IDE Plugins, the following Editions are available:
|
...
Expand |
---|
Desktop Edition Windows: Microsoft®Windows 7 10 Professional or newer (Windows 10 includedEnterprise (Home version not supported), Windows 2008 R2 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). 64 bit environment is suggested for better performances. Microsoft®Office 2010 or newer installed (for reporting) .NET Framework 4.7.8 2 redistributable preinstalled . Linux: Same requirements of Server edition PDF reader (for reporting) JDK 1.8 or newer preinstalled. At least 2 with offline installer. Oracle JDK 1.8 preinstalled. For further details, please refer to the related chapter below Python 3.8 or newer preinstalled At least 4 GB RAM or minimum RAM required by Host System 2 Cores A physical hard disk greater than 200GB 1 GB of free C: disk space during running Linux Centos Linux 7.x; or newer, Ubuntu 16.04 or higher, Debian 9 or higher, Fedora 30 or higher, RedHat 7 or higher 64bit environment is mandatory Oracle JDK 1.8 preinstalled. It won’t run with OpenJDK Python 3.6 or higher At least 4 GB RAM or minimum RAM required by Host System 2 Cores A physical hard disk greater than 200GB, with at least 300 MB of free disk space during Installation 1 GB of free C: disk space during running Virtual Desktop Edition Host System: Microsoft®Windows , Mac OSx OSX or Linux. No particular configuration is suggested. The application runs in a remote Windows Server. If you need that Server on your premises, it needs the same configuration of Server Edition Developer Edition Same configuration of Desktop Edition, with one of IDE Plugins installed. Server Edition Windows: Windows 2008 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). .NET Framework 4.8 redistributable preinstalled. IIS 7.5 or newer for WCF Linux:
Mac:
JDK 1.8 or newer preinstalled. Minimum RAM required by Host System. REST API Edition Same configuration of Server Edition with additional Apache Tomcat 9 installed. |
Q. Which Virtualization Platforms are supported by Static Analysis?
Expand |
---|
See Infrastructure |
Q. Which Operative Systems are supported by Static Analysis?
Expand |
---|
See Infrastructure |
Q. What is the Database role in Static Analysis?
...
Q. How Security Rules are maintained up-to-date?
Expand |
---|
Q. For each Security Vulnerability, which details are provided?
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
When a Security Vulnerability is detected, a number of detailed Attributes is provided. See this video: Legend:
Q. Can Static Analysis provide per-component results? Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results by Component, Outsourcer and/or Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative Q. When Analysis ends, is there a notification service? At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details. Q. Which Analysis results output formats are supported? Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Chain. Q. May I suppress a vulnerability? Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports. See False Positives and False Negatives Q. In Static Analysis, may I create custom Security Rules? You can exclude some Security Rules from the Static Analysis, between the ones available, or you can create new Security Rules using the Cigital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications Q. Which Development IDE are supported? Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins |
CI Plugins FAQ
Q. Which Infrastructure is required for running your CI plugins?
...
Expand |
---|
Unique Data used by our CI Plugins is about External Sources used in Software Composition Analysis. Such Data will be stored temporary in an H2 database and refreshed automatically. No need of backup or maintenance |
...
Expand |
---|
Only Software Composition Analysis CI Plugin requires access to Internet, for accessing to External Sources. An internal Proxy Server belonging to your organization can be used. It must be configured inside your CI Platform: |
...
Expand |
---|
Software Composition Analysis (SCA) CI Plugin supports various Package Managers. See Package Managers. For both Static Analysis and Software Composition Analysis Ant, Maven, Gradle plugins are available. |
...
Q. How Security Rules are maintained up-to-date?
Expand |
---|
Q. For each Security Vulnerability, which details are provided?
...
Expand |
---|
Yes. We analyze both System Libraries and Libraries/Frameworks used in applications. See Containers Security for further details |
Q. May I isolate a vulnerable Library/Framework, for avoid its publishing?
...
Expand |
---|
At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details. |
Q. Which Analysis results output formats are supported?
...
Expand |
---|
Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins |
Q. Which Continuous Integration Platforms do you support?
...
Expand |
---|
Our CI Plugins integrate with Issue Tracking in two different ways:
|
Q. Do you integrate with external Dashboards, like SonarQube or ThreadFix?
Expand |
---|
Yes, the SonarQube and ThreadFix integrations are natively supported. Other dashboard support is provided via OWASP Dependency Track. See Dashboards |
Q. Do you provide REST API and CLI interfaces?
...
Expand |
---|
Firmware Reviewer executes both Static and Dynamic Analysis. After extracting the bootloader and file system from the image, the Static Analysis consists on executing a Task List, which includes checking of OS, system libraries, 3rd-party libraries, executables and scripts against CVE and Exploit databases to find known vulnerabilities. Scripts source code is also submitted to Security Reviewer’s SAST module to verify OWASP, WASC and CWE vulnerabilities checks. It will reveal also Visible configuration, IPs, e-mails, URIs, Visible Services, Unwanted Programs, and Compliance Issues. Dynamic Analysis consists in Device Emulation and in applying attacker patterns to the firmware image. Dynamic Analysis execute also Hardening Compliance test and other tests like Malware Scanning, using an embedded version of Metaesploit against our own collection of rules. See Malware related question below. |
Q. Firmware Reviewer executes the Dynamic Analysis using simulation techniques. How can it simulate complex devices?
Expand |
---|
Firmware Reviewer Emulate a device using an our own enhanced version of QEMU. For complex firmwares it can execute a Partial emulation (bootloader and init system) and install a Bootloader Agent /wiki/spaces/KC/pages/1455980582 in the firmware bootloader, in order to manage encrypted firmware and gain access to login credentials. It will increase the Dynamic Analysis comprehensiveness and accuracy. |
...
Expand |
---|
Firmware Reviewer provides a Plugin Developer’s Kit as well as REST API /wiki/spaces/KC/pages/1406631937 interface. External tools are orchestrated within dedicated plugins, and, in case of external systems, through REST API. Results are automatically correlated in a unique report. |
...
Expand |
---|
Firmware Reviewer makes use of Security Reviewer’s SAST native module to analyze source code found inside the firmware image: shell scripts, python, php, lua, javascript, etc. in order to verify OWASP, WASC and CWE vulnerabilities checks. |
Q. How exposed vulnerable functions are detected by Firmware Reviewer?
...
Q. I discover I have some users for services startup with Empty or Default Password. Firmware Reviewer reports them as vulnerable users. How can I test if those users are exploitables?
Expand |
---|
Using our Bootloader Agent /wiki/spaces/KC/pages/1455980582, the users with empty or default passwords will be automatically monitored by Firmware Reviewer. At Emulation runtime, when a service is accessed using the real credentials, the Bootloader Agent /wiki/spaces/KC/pages/1455980582 will track it and will try to use such real credentials to login. Firmware Reviewer never access to physical devices, emulating them only. |
...