SAST - Static Application SAST - Static Application Security Testing
Static Reviewer is the SAST module (Static Analysis Security Testing), part of Security Reviewer suite, built on top of the lessons learned through hundreds of thousands of scans performed since 2001, constantly evolving to match new technologies and threats. It is guided by the largest and most comprehensive set of secure coding rules and supports a wide array of languages, platforms, build environments and integrated development environments (IDEs). Compliant with: OWASP, CWE, SQALE, CISQ, CVE, CVSS, WASC, MISRA, CERT, with DISA, STIG, and NIST references. The Rule Engine with its internal multi-threaded, optimized state machine based on Dynamic Syntax Tree, is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.
...
Static Reviewer and Quality Reviewer, released in the Security Reviewer Suite, are provided both On Premise (Desktop, CI Plugins, Maven / Gradle / SBT / SonarQube Plugins, Ant Task and CLI Interface tested with many CI/CD platforms) and in Cloud (our Web App offered in an high-performance European or American Secured Cloud Infrastructure), as Container (Docker, Kubernetes, OpenShift or any other APPC-compliant). Static Reviewer executes code checks according most relevant Secure Coding Standards for commonly used Programming Languages. It offers a unique, full integration between Static Analysis (SAST), Software Composition Analysis and DAST (Dynamic) analysis, directly inside Programmers IDE.
...
Limit access to a single or a group of Static Reviewer features
Change Rulesì Rules priority (Severity)
Add suggestions to reduce recurring False Positives by Evidence
Add a new Rule to the Static Reviewer’s Rules XML File
Add a Report File for replacing an existing one.
...
A Certified User, once purchased the Admin Kit, will receive a 1-day training by us, concerning how to design a custom rule Custom Rule properly.
Personnel using this Admin Kit should have the following Professional Profile:
...
...
SCM Integrations
You can directly checkout (push) source code from the following SCM platforms:
SubVersion (SVN)
IBM Rational ClearCase
Perforce
Mercurial
AccuRev
The source code will be stored temporary in an encrypted folder and loaded in a secure buffer.
Analysis Results can be stored in the above SCM platforms.
You can do that using our Jenkins plugin or directly from our Desktop app.
File Servers
All our products can work accessing files on local file system, as well as the following File Sharing Systems:
...
Static Reviewer does not need RBDMS to run, and it is fully extensible via XML. It is able to analyze SQL code written on different SQL Dialects.
Our unified Dashboard, named Team Reviewer supports (configurable) the following RDBMS:
Oracle MySQL 5.6 or higher
Oracle Database RAC 12 or newer (includes Oracle APEX)
Microsoft SQL Server 2012 or newer
PostgreSQL 9.0 and higher
Alpine H2 1.4.196 or newer
MariaDB 10.x
| Anchor | ||||
|---|---|---|---|---|
|
...
Requests and Responses log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://jenkins.io/doc/pipeline/steps/http_request/ and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Audit log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://plugins.jenkins.io/audit-log and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Application log. Our Ci Plugin write XML cloned as plain-text in the current CI Workspace, using slf4j. Further the application log is written in the standard CI Console Output
Access log. See https://wiki.jenkins.io/display/JENKINS/Access+Logging and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
Vulnerability detection log. Two Vulnerability logging ways are provided: Inside Application log (see above) and a separate XML log in the current CI Workspace, using slf4j
The above logs are customizable according the customer needs.
| Anchor | ||||
|---|---|---|---|---|
|
...
C#, Vb.NET, VB6, ASP, ASPX, Java, JSP, JavaScript (client side & server side), TypeScript, Java Server Faces, Ruby, Python, R, GO, Clojure, Groovy, PowerShell, Rust, HTML5, XML, XPath, C, C++ (see C/C++ Options), ESQL/C, PRO*C, PHP, SCALA,, IBM Streams Processing Language, Shell (bash, sh, csh, ksh), Perl, Julia, LUA, COBOL (see COBOL Options), JCL, ABAP, SAP-HANA, Adabas NATURAL, Terraform, CloudFormation, Ansible Tasks, github Actions, Dockerfile, Kubernetes, DTSX, RDL, RDLS, Oracle BPEL and BPMN.
Mobile: Android Java, Android C++ SDK, Kotlin, Objective-C, Objective C++, Swift (including templates). Support for 47 Mobile Development Frameworks: https://en.wikipedia.org/wiki/Mobile_app_development
SQL Dialects: PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, Adabas SQL, IBM Datastage, ANSI SQL, IBM DB2, IBM Informix, IBM Netezza, SAP Sybase, Micro Focus Vertica, MySQL, FireBird, PostGreSQL, SQLite, Hibernate Query Language, Hadoop PL, HiveQL, CockroachDB, ADABAS, NonStopSQL, GoogleSQL (BigQuery).
NoSQL. MongoDB, CouchDB, Azure Cosmos DB, basho, CouchBase, Scalaris, Neo4j, InfiniSpan, Hazelcast, Apache Hbase, Dynomite, Hypertable, cloudata, HPCC, Stratosphere, Amazon DynamoDB, Oracle NoSQL, Datastax, ElasticDB, OrientDB, MarkLogic, RaptorDB, Microsoft HDInsight, Intersystems, RedHat JBoss DataGrid, IBM Netezza, InfiniDB, BigMemory, GemFire., Accumulo GigaSpaces, SAP Hana, Couldera, memBase, simpleDB, redis, Apache Cassandra, GraphQL.
...
Supported Libraries and Frameworks (Static Analysis):
JAVA: 146 Frameworks
https://en.wikipedia.org/wiki/List_of_Java_Frameworks
...
Go: 19 Frameworks (Beego, Buffalo, Echo, FastHTTP, Fiber, Gin/Gin-Gonic, Gocraft, Goji, Gorilla, Go-zero, Iris, Kit, Kratos, Mango, Martini, Mux (HttpRouter), Net/HTTP, Revel, Web.go)
Machine Learning
Security Reviewer service uses machine learning algorithms to feed off the hundreds of millions of anonymous audit decisions from Security Reviewer experts. These decision models are actively used and developed for Cloud Reviewer, but are also technologies that can be automatically applied on-prem to Static Reviewer results.
Static Reviewer analysis is divided in two steps:
...
Julia: 34 frameworks. Pluto, Flux, IJulia, DifferentialEquations, Genie, Makie, JuMP, Gadfly, Gen, Plots, DataFrames, MLJ, Knet, Zygote, UnicodePlots, Mocha, BeautifulAlgorithms, ModelingToolkit, Symbolics, AlphaZero, Revise, Distributions, Dash-bootstrap-components, CUDA, Optim, BrainFlow, TensorFlow, Franklin, DSGE, Yao, Oceananigans, ForwardDiff, DiffEqFlux, Javis
Machine Learning
Security Reviewer service uses machine learning algorithms to feed off the hundreds of millions of anonymous audit decisions from Security Reviewer experts. These decision models are actively used and developed for Cloud Reviewer, but are also technologies that can be automatically applied on-prem to Static Reviewer results.
Static Reviewer analysis is divided in two steps:
Hybrid Analysis: Security Reviewer creates an in-memory Dynamic Syntax Tree of analized app, mixing Static (on source code) and Sandboxed Analysis (on compiled code)
Taint Analysis: Security Reviewer contains its own Machine Learning system that acts on the output of the Hybrid analyzer, that is the in-memory Dynamic Syntax Tree.
...
Parameters: Parameters in Naive Bayes are the estimates of the true distribution of whatever we're trying to classify. The variables your algorithm is trying to tune to build an accurate model..
Classifier: Classifiers are also referred to group of attributes. .
...
Feature mapping derives simple-structured features from the Dynamic Syntax Tree, and create specifc Classifiers.
In the Static Analysis, Features are a huge number of objects that cannot be learned one-by-one. A given Classifier is abstracted as a set of features:
...
All analyses but the first will automatically remove the useless Classifiers, enahncing the scan accuracy.
Forget about False Positives
The two above mentioned steps guarantee a cleansed analysis output, with almost zero False Positives.
...
Security Reviewer uses Blockchain to publish anonymous Effort Estimation data, under permission of voluntary organizations using our products, through Consensus Algorithms. It maintains a repository of data from numerous organizations' completed software projects. In particular, the repository has provided research data on several topics, including APPW metrics, COCOMO, COSMIC, SLOC, LLOC, WMC, Cyclomatic Complexity, Technical Debt, Function Points, Country, Industry, Application Type, Project duration, and Cost estimation. A software benhmarking experiment performed by Security Reviewer determined whether using anonymous data provides any valuable information to an organization. The organization's completed projects are compared to similar projects in a Blockchain to establish averages for the organization and the industry as a whole. A critical aspect of the repository is confidentiality. Each organization is represented by a code (for example, “contributed by Organization X”) so that Security Reviewer can identify projects without revealing the organization itself. Codes are not available to the public, and create specifc Classifiers.
In the Static Analysis, Features are a huge number of objects that cannot be learned one-by-one. A given Classifier is abstracted as a set of features:
...
All analyses but the first will automatically remove the useless Classifiers, enahncing the scan accuracy.
Forget about False Positives
The two above mentioned steps guarantee a cleansed analysis output, with almost zero False Positives.