SAST - Static Application Security Testing
...
SAST - Static Application Security Testing
Static Reviewer is the SAST (Static Analysis Security Testing) part of Security Reviewer suite, built on top of the lessons learned through hundreds of thousands of scans performed since 2001, constantly evolving to match new technologies and threats. It is guided by the largest and most comprehensive set of secure coding rules and supports a wide array of languages, platforms, build environments and integrated development environments (IDEs). Compliant with: OWASP, CWE, CVE, CVSS, MISRA, CERT. The Rule Engine with its internal multi-threaded, optimized state machine based on Dynamic Syntax Tree, is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.
Static Reviewer and Quality Reviewer, released in the Security Reviewer Suite, are provided both On Premise (Desktop, CI Plugins, Maven / Gradle / SBT / SonarQube Plugins, Ant Task and CLI Interface tested with many CI/CD platforms) and in Cloud (as Virtual Desktop or REST API Server), as Container (Docker, Kubernetes, OpenShift or any other APPC-compliant), executes code checks according most relevant Secure Coding Standards for commonly used Programming Languages. It offers a unique, full integration between Static Analysis (SAST) and DAST (Dynamic) analysis, directly inside Programmers IDE.
...
Once you created your Rules XML file, you developed your Custom Rules and built your DLL, you must submit them all by launching Security Reviewer – Admin Kit:
...
You can decide either to share your Custom Rules with the Community, or to reserve those Custom Rules to your company only.
...
The rule engine, with its internal multi-thread - optimized state - machine based on Dynamic Syntax Tree, is the fastest in the market, 52x faster than competitors. It does not need any internal or external RDBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.
Static Reviewer supports running in the below listed infrastructures:
Hosts
CentOS 7/8
Microsoft Windows 10/2008/2012/2016/2019
Ubuntu 16.04/18.04/19.04/19.10/20.04 both server and desktop
Fedora 21 or newer
SuSE Linux Enterprise 12 or newer
RedHat RHEL 7 or newer
Mac OSx 10.11 “El Capitan” or newer
Virtualization Platforms
Oracle VirtualBox 6.0.0 or newer
Microsoft Hyper-V for Windows 10/2008/2012/2016/2019
Red Hat Enterprise Virtualization 3.6 or newer
KVM (Kernel-based Virtual Machine) kvm-44 or later
Containers Platforms
System Requirements
Desktop
2-Core CPU
4GB RAM
1TB Free space on Disk
Windows 10, 2008 R2, 2012 R2, 2016, 2019
.NET Framework 4.7.2
WineHQ 5.11 on Linux environment
Every running analysis will take about 700MB RAM. You can run up to 5 analysis on the same desktop.
IDE
Please refer to you preferred IDE requirements, like Eclipse, Visual Studio, JetBrains, NetBeans.
DevOps
In case of DevOps CI/CD integration please refer to Jenkins or Bamboo requirements.
REST API Server
8-Core CPU
16GB RAM
1TB Free space on Disk
Windows 2008 R2, 2012 R2, 2016, 2019
Oracle JDK 1.8_241
Apache Tomcat 8.5
You can run up to 20 simultaneous analyses on same server. Over 20 will be automatically queued.
Server architecture is scalable, you can add as servers as you wantlaunching Security Reviewer – Admin Kit:
...
You can decide either to share your Custom Rules with the Community, or to reserve those Custom Rules to your company only.
DevOps CI/CD Integration
...
SCM Integrations
You can directly checkout (push) source code from the following SCM platforms:
SubVersion (SVN)
IBM Rational ClearCase
Perforce
Mercurial
AccuRev
The source code will be stored temporary in an encrypted folder and loaded in a secure buffer.
Analysis Results can be stored in the above SCM platforms.
You can do that using our Jenkins plugin or directly from our Desktop app.
File Servers
All our products can work accessing files on local file system, as well as the following File Sharing Systems:
Network File System (NFS)
Samba
FTP, TFTP, SFTP, FTP-S
UNC Paths
Permalinks
...
Oracle MySQL 5.6 or higher
Oracle Database RAC 12 or newer
Microsoft SQL Server 2012 or newer
PostgreSQL 9.0 and higher
Alpine H2 1.4.196 or newer
MariaDB 10.x
Anchor | ||||
---|---|---|---|---|
|
...
Requests and Responses log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://jenkins.io/doc/pipeline/steps/http_request/ and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Audit log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://plugins.jenkins.io/audit-log and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Application log. Our Ci Plugin write XML cloned as plain-text in the current CI Workspace, using slf4j. Further the application log is written in the standard CI Console Output
Access log. See https://wiki.jenkins.io/display/JENKINS/Access+Logging and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Vulnerability detection log. Two Vulnerability logging ways are provided: Inside Application log (see above) and a separate XML log in the current CI Workspace, using slf4j
The above logs are customizable according the customer needs.
Anchor | ||||
---|---|---|---|---|
|
Static Analysis
...
Static Analysis supports the following programming languages:
...
Supported Libraries and Frameworks (Static Analysis):
JAVA: 146 Frameworks
https://en.wikipedia.org/wiki/List_of_Java_Frameworks
...
Mobile: support for 47 Mobile Development Frameworks: https://en.wikipedia.org/wiki/Mobile_app_development
...
Machine Learning
Security Reviewer analysis is divided in two steps:
...
Parameters: Parameters in Naive Bayes are the estimates of the true distribution of whatever we're trying to classify. The variables your algorithm is trying to tune to build an accurate model..
Classifier: Classifiers are also referred to group of attributes. .
...
Security Reviewer uses Blockchain to publish anonymous Effort Estimation data, under permission of voluntary organizations using our products. It maintains a repository of data from numerous organizations' completed software projects. In particular, the repository has provided research data on several topics, including APPW metrics, COCOMO, COSMIC, SLOC, LLOC, WMC, Cyclomatic Complexity, Technical Debt, Function Points, Country, Industry, Application Type, Project duration, and Cost estimation. A software benhmarking experiment performed by Security Reviewer determined whether using anonymous data provides any valuable information to an organization. The organization's completed projects are compared to similar projects in a Blockchain to establish averages for the organization and the industry as a whole. A critical aspect of the repository is confidentiality. Each organization is represented by a code (for example, “contributed by Organization X”) so that Security Reviewer can identify projects without revealing the organization itself. Codes are not available to the public.
CI PLUGINS
Security Reviewer Static Analysis
...