Versions Compared

Old Version 132

changes.mady.by.user Laura Mandolini

Saved on

compared with

New Version 133

changes.mady.by.user Laura Mandolini

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SAST - Static Application Security Testing 

Static Reviewer and Quality Reviewer, released in the Security Reviewer Suite, are provided both On Premise (Desktop, CI Plugins, Maven / Gradle / SBT / SonarQube Plugins, Ant Task and CLI Interface tested with many CI/CD platforms) and in Cloud (as Virtual Desktop or REST API Server), as Container (Docker, Kubernetes, OpenShift or any other APPC-compliant), executes code checks according most relevant Secure Coding Standards for commonly used Programming Languages. It offers a unique, full integration between Static Analysis (SAST) and DAST (Dynamic) analysis, directly inside Programmers IDE.

...

The rule engine, with its internal multi-thread - optimized state - machine based on Dynamic Syntax Tree, is the fastest in the market, 52x faster than competitors. It does not need any internal or external RDBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.

...

Containers Platforms

...

Using built-in design 9000+ validation rules, during Code Review process it can highlight violations and even suggest changes that would improve the structure of the system. it creates an abstract representation of the program, based on Dynamic Syntax Tree own patented algorithm.

...

CI/CD Platforms Integrations

...

SCM Integrations

You can directly checkout (push) source code from the following SCM platforms:

The source code will be stored temporary in an encrypted folder and loaded in a secure buffer.

Analysis Results can be stored in the above SCM platforms.

You can do that using our Jenkins plugin or directly from our Desktop app.

File Servers

All our products can work accessing files on local file system, as well as the following File Sharing Systems:

...

  • Oracle MySQL 5.6 or higher

  • Oracle Database RAC 12 or newer

  • Microsoft SQL Server 2012 or newer

  • PostgreSQL 9.0 and higher

  • Alpine H2 1.4.196 or newer

  • MariaDB 10.x

Anchor
logging
logging
Logging

...

The above logs are customizable according the customer needs.

Anchor
languages
languages
Supported Programming Languages

...

Supported Libraries and Frameworks (Static Analysis)

JAVA: 146 Frameworks

https://en.wikipedia.org/wiki/List_of_Java_Frameworks

...

  • Hybrid Analysis: Security Reviewer creates an in-memory Dynamic Syntax Tree of analized app, mixing Static (on source code) and Sandboxed Analysis (on compiled code)

  • Taint Analysis: Security Reviewer contains its own Machine Learning system that acts on the output of the Hybrid analyzer, that is the  in-memory Dynamic Syntax Tree. 

...

Let's start with some definitions:

...

Parameters: Parameters in Naive Bayes are the estimates of the true distribution of whatever we're trying to classify. The variables your algorithm is trying to tune to build an accurate model..

Classifier: Classifiers are also referred to group of attributes. .

...

Feature mapping derives simple-structured features from the Dynamic Syntax Tree, and create specifc Classifiers.
In the Static Analysis, Features are a huge number of objects that cannot be learned one-by-one. A given Classifier is abstracted as a set of features:

...

Security Reviewer uses Blockchain to publish anonymous Effort Estimation data, under permission of voluntary organizations using our products. It maintains a repository of data from numerous organizations' completed software projects. In particular, the repository has provided research data on several topics, including APPW metrics, COCOMO, COSMIC, SLOC, LLOC, WMC, Cyclomatic Complexity, Technical Debt, Function Points, Country, Industry, Application Type, Project duration, and Cost estimation. A software benhmarking experiment performed by Security Reviewer determined whether using anonymous data provides any valuable information to an organization. The organization's completed projects are compared to similar projects in a Blockchain to establish averages for the organization and the industry as a whole. A critical aspect of the repository is confidentiality. Each organization is represented by a code (for example, “contributed by Organization X”) so that Security Reviewer can identify projects without revealing the organization itself. Codes are not available to the public.

CI PLUGINS

Security Reviewer Static Analysis

...

Software Composition Analysis Desktop, Jenkins and Bamboo native plugins and CLI Interface (test on many CI/CD platforms) provide a 360 degrees solution covering all your DevOps needs. 3rd-party libraries can be analyzed (Open Source Analysis-OSA) using a shared folder located on Network File System (NFS), a Nexus Repository or JFrog Artifactory for discovering Vulnerable Libraries, Vulnerable Frameworks, Blacklisted/ Discontinued/ Outdated / Obsolete/ Deprecated libraries and frameworks. Legal issues like: Blacklisted Licenses, Licenses Conflict, No-licensed libraries, Suspicious (modified) licenses and Poor-man Copyrights are fully-detected from the tool.

...

Security Reviewer SCA can publish results to a bunch of Dashboards like: OWASP Dependency Track, Kenna Security, CodeDx, Micro Focus Fortify SSC, SonarQube and ThreadFix, as well as to your preferred Defect Tracker (JIRA, BugZilla, etc.).

...

COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.