Page Comparison

SAST - Static Application Security Testing 

Static Reviewer is the SAST module (Static Analysis Security Testing), part of Security Reviewer suite, built on top of the lessons learned through hundreds of thousands of scans performed since 2001, constantly evolving to match new technologies and threats. It is guided by the largest and most comprehensive set of secure coding rules and supports a wide array of languages, platforms, build environments and integrated development environments (IDEs). Compliant with: OWASP, CWE, SQALE, CISQ, CVE, CVSS, WASC, MISRA, CERT, with DISA, STIG, and NIST references. The Rule Engine with its internal multi-threaded, optimized state machine based on Dynamic Syntax Tree, is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.

...

Static Reviewer and Quality Reviewer, released in the Security Reviewer Suite, are provided both On Premise (Desktop, CI Plugins, Maven / Gradle / SBT / SonarQube Plugins, Ant Task and CLI Interface tested with many CI/CD platforms) and in Cloud (as Virtual Desktop or REST API Serverour Web App offered in an high-performance European or American Secured Cloud Infrastructure), as Container (Docker, Kubernetes, OpenShift or any other APPC-compliant), . Static Reviewer executes code checks according most relevant Secure Coding Standards for commonly used Programming Languages. It offers a unique, full integration between Static Analysis (SAST), Software Composition Analysis and DAST (Dynamic) analysis, directly inside Programmers IDE.

...

An application can be made of different Programming Languages. 

Security Reviewer recognizes all programming languages that are composing the analyzed app, as well as the Dominant Language (i.

...

e. the Language with higher LOC).

...

The analysis will be done automatically. Optionally, you can set the following:, by entering Source Code Path, Application (Product) and Engagement (Version).

Optionally, you can fine tuning the Analysis by setting Analysis Options and Language Options, for example you may set the API Level, SDK, Frameworks for each Programming Language used in your app.

...

Auditor

Your current username is set to default on Auditor field. You can change this field before scanning.

Audit Date

You can change the Audit Date as you want, selecting the proper date in the calendar.

...

Selecting “New and Changed Files only”, analysis’ results will be focused on new and updated files only.

Language

Choose the Language Set. If your Application is written using more than a Programming Language Set, it will automatically discovered.

SQL Dialect

If you have SQL scripts in your Application, choose their SQL Dialect

Load Type

Load Type

You can choose:

• Folder. Open a folder containing your source code. This is most useful feature and can scan incomplete, uncompiled source code. When you scan JAVA files, scan is related to HTML, JSP pages, JSF, XML, SQL and JavaScript too; An Open Folder dialog box will appear, please choose the folder where the source code is located. When you scan C/C++ files, you can set Target Platform as well as the Target Compiler, using C/C++ Options Tab settings.

• Project. Open Visual Studio Project(s). Visual Studio (2003 to 2015) “.??proj” files: C#, C++/CLI or vb.NET with related HTML, asp, aspx pages as well as JavaScript and XML are supported. SR will search all source files referenced by selected projects, listing them in the Files List frame. Be aware of orphaned files.

• ClassPath. In JAVA, optionally you can have a scan based on “.classpath” files, located in every folder to include, for a faster scan.

• Component. If you have APM Pack installed, choosing this option Security Reviewer will analyze your application as you structured it using Component Builder.

Framework – JDK - API Level

In case of .NET source code, if .NET framework cannot be obtained automatically, you can choose which .NET Framework version has been used during development. The same will be done with JDK, API Level (Android) or MFC versions.

Ruleset

...

Ruleset

Choose a Ruleset on related combo box (Security or Deadcode):  OWASP Top Ten 2021, OWASP API Security Top Ten 2019, OWASP Top Ten 2017, OWASP Top Ten 2013, OWASP Top Ten 2010, OWASP Mobile Top Ten 2016, OWASP Mobile Top Ten 2014, CWE or your own Custom Ruleset (see related chapter below). If a Mobile app is detected, OWASP Mobile Top Ten 2016 will be automatically set . Dead code (OWASP Mobile Top Ten 2014 is also available). Dead code analysis will use CWE ruleset only. Further than OWASP and CWE, WASC and CVE will be also detected in every analysis. Additionally, PCI-DSS 4.0 and 3.2.1, CVSS Base Score 3.1 and NIST, DIGA, STIG references are added when applicable.

Scan Options

Additional Scan Options are provided for better targeting the scan:

</> Source Code options

You can choose how many lines will be show on the screen and reports Before and After the line on which a violation was find.

Warning Timeout

Set the proper Timeout in seconds to be applied in the pattern search before generating a Warning. For analyzing complex source code, it is suggested to set Warning Timeout to 50 or over.

Trusted

Enable it your application runs in a Trusted environment. You can choose:

• Public Functions (default). You are considering ‘Trusted’ the public functions parameters (console application, dedicated JVM or CLR, dedicated Application Server, etc.)

• DB Queries. When results of Data Base Queries have not to be validated

• Environment Variables-Properties. When Environment Severity level. You can target the scan to some Severities only.

• Dead Code / Best Practices. If disabled, the Dead Code and Best Practices Analysis won’t be executed

• Resilience. If disabled, the Software Resilience Analysis won’t be executed

• Quality Analysis. If disabled, the Quality Analysis won’t be executed

• Do not apply Exclusions. Enabling this option, you skip the Exclusion List

• Send to Dashboard. You can choose if the Analysis Results, Logs and Reports will be send to Team Reviewer

Framework – JDK - API Level

In case of .NET source code, if .NET framework cannot be obtained automatically, you can choose which .NET Framework version has been used during development. The same will be done with JDK, API Level (Android) or MFC versions.

...

SQL Dialect

If you have SQL scripts in your Application, choose their SQL Dialect

</> Source Code options

You can choose how many lines will be show on the screen and reports Before and After the line on which a violation was find.

Warning Timeout

Set the proper Timeout in seconds to be applied in the pattern search before generating a Warning. For analyzing complex source code, it is suggested to set Warning Timeout to 50 or over.

Trusted

Enable it your application runs in a Trusted environment. You can choose:

• Public Functions (default). You are considering ‘Trusted’ the public functions parameters (console application, dedicated JVM or CLR, dedicated Application Server, etc.)

• DB Queries. When results of Data Base Queries have not to be validated

• Environment Variables-Properties. When Environment Variables and Property Files are considered affordable (Environment dedicated to system user associated to application)

• Socket. When data read as plaintext from a Socket has not to be validated (i.e. read from a local Daemon)

• Servlet/WS requests. When Servlet or Web Services requests are considered affordable (for example in case of local servlet or in case of WS-Security)

...

In order to reduce the number of vulnerabilities to manage, it is suggested to set Max vulnerabilities per line of code to 1 on the first scan, and then, after some remediation task was accomplished, set it to 5. That permits to be focused on priority code interventions for solving the most important vulnerabilities. If SR will find more vulnerabilities in the same line of code, it will consider the one having higher severity.

.NET

Enabling No Dead Code for Partial Classes avoid to provides a separate processing for .NET Partial Classes, avoid False Positives on Dead Code issues.

Internet

Enable it if you are analyzing an Application exposed to Internet. The rules applied will be more stricted.

Target Browser

If you want to focus your Static Analysis to a specific target browser, select this option. A list of Most important versions of Internet Explorer, Chrome, Firefox, Opera and Safari will be shown:

 This will change analysis perspective, focusing on a certain browser vulnerabilities and compatibility issues.

Attack Vectors

Select this option to generate Attack Vector information during the Scan. This feature will take into account every point-of-vulnerability of the analyzed app.

Baseline

Select it in case your version has to be considered as baseline. In differential comparison reports, your baseline will be highlighted.

Auditor

Your current username is set to default on Auditor field. You can change this field before scanning.vulnerabilities to manage, it is suggested to set Max vulnerabilities per line of code to 1 on the first scan, and then, after some remediation task was accomplished, set it to 5. That permits to be focused on priority code interventions for solving the most important vulnerabilities. If SR will find more vulnerabilities in the same line of code, it will consider the one having higher severity.

.NET Partial Classes

Enabling No Dead Code for Partial Classes avoid to provides a separate processing for .NET Partial Classes, avoid False Positives on Dead Code issues.

Internet

Enable it if you are analyzing an Application exposed to Internet. The rules applied will be more stricted.

Target Browser

If you want to focus your Static Analysis to a specific target browser, select this option. A list of Most important versions of Internet Explorer, Chrome, Firefox, Opera and Safari will be shown:

 This will change analysis perspective, focusing on a certain browser vulnerabilities and compatibility issues.

C++ Options

In case of C/C++ source code, you can set C or C++ Options. Further than Windows compilers (Visual Studio, JetBrains Rider and Embarcadero), Security Reviewer supports:

...

Target COBOL Version. For a precise parsing of the right COBOL Dialect.

...

Security Reviewer supports the largest number of COBOL platforms in the market.

...

Secure Code Analysis

Static Reviewer, can run either at Client side or at Server side. You can run it using our Desktop application, Developer's IDE, via command line or using our DevOps CI/CD plugins. Developers can run Secure Code Analysis also at server side via automated integration with our REST API server. See REST API Hardware Requirements for further details.

...

When launching a new Static Analysis, you can set the Load Type to Component.

...

Results

Once the Static Analysis is finished, you can view Results associated to one Component, or to ALL Components:

...

False Positives

You can mark all Component's Vulnerabilities as False Positives, by selecting the Component and pressing Select All:

...

Cover letters are customizable, for ISO 9001 compliance. You can insert your logotwo logos, the ISO Responsability chain (Created by, Approved by, Verified By), ISO Template code, a Disclaimer note and Report Confidentiality.

...

• Limit access to a single or a group of Security Reviewer featuresStatic Reviewer features

• Change Rulesì priority (Severity)

• Add suggestions to reduce recurring False Positives by Evidence

• Add a new Rule to the Security Static Reviewer’s Rules XML File 

• Add a new Custom NET Core DLL with implemented Rules to be executed during Static Analysis. This DLL will be added to the related programming Language Engine, using Aspect.NETAdd a Report File for replacing an existing one.

...

• At least 3 year of experience on using Security Reviewer as Auditor. At least 100 Audits per year are required

• At least 5 years of experience in Secure Coding with Microsoft®NET

• In-depth knowledge of OWASP and CWE Compliance standards, and CVSS Risk methodology, all applied to at least 5 programming languages

• At least 5 years of experience in executing Static Analyses compliant with OWASP Top Ten 2013 or 2017, Common Weakness Enumeration (CWE) 2.9 or newer, Web Application Security Consortium (WASC) and PCI-DSS 3.1 or newer

• Developing at least 3 projects for each of 5 different programming languages, during the last 5 years

• “Security Reviewer Certified Professional – Master Rule Programming” Certified

...

• Rule Programming” Certified

You can Enable/Disable and change Severity of existing Vulnerability Detection Rules (authorized users only):

...

You can create your Custom Rules (authorized users only):

...

Once you created your Rules XML file, you developed your Custom Rules and built your DLLown Rules, you must submit them all by launching Security Reviewer – Admin Kit:

...

to us, using the Send button.

You can decide either to share your Custom Rules with the Community, or to reserve those Custom Rules to your company only.

You can declare Recurring False Positives by Evidence (authorized users only):

...

DevOps CI/CD Integration 

...

Using built-in design 9000+ validation rules, during Code Review process it can highlight violations and even suggest changes that would improve the structure of the system. it creates an abstract representation of the program, based on Dynamic Syntax Tree own patented algorithm.

...

CI/CD Platforms Integrations

• Jenkins (CloudBees ready)

• Ansible

• Atlassian Bamboo CI/CD

• Azure DevOps

• Concourse-CI

• AppVeyor

• Travis CI

• Circle CI

• JetBrains TeamCity

• CodEnvy

• Chef

• IBM UrbanCode AnthillPro

• GitLab

• GoCD

• Puppet

• Apache Gump

• CruiseControl

• Vexor

• Tekton

Cloud Platforms supported (CI Plugins):

• Microsoft Azure DevOps

• Amazon AWS DevOps

• Google Cloud DevOps

• CloudBees

• Cloudflare

• CloudMunch

• Drone

• Shippable

• Wercker

SCM Integrations

You can directly checkout (push) source code from the following SCM platforms:

• Git

• SubVersion (SVN)

• CVS

• IBM Rational Team Concert

• IBM Rational ClearCase

• Micro Focus PVCS

• Bitbucket

• Perforce

• Mercurial

• AccuRev

The source code will be stored temporary in an encrypted folder and loaded in a secure buffer.

Analysis Results can be stored in the above SCM platforms.

You can do that using our Jenkins plugin or directly from our Desktop app.

File Servers

All our products can work accessing files on local file system, as well as the following File Sharing Systems:

...

Static Reviewer does not need RBDMS to run, and it is fully extensible via XML. It is able to analyze SQL code written on different SQL Dialects.

Our unified Dashboard, named Team Reviewer supports (configurable) the following RDBMS:

• Oracle MySQL 5.6 or higher

• Oracle Database RAC 12 or newer (includes Oracle APEX)

• Microsoft SQL Server 2012 or newer

• PostgreSQL 9.0 and higher

• Alpine H2 1.4.196 or newer

• MariaDB 10.x

Anchor
logging logging

Logging

...

•  Requests and Responses log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://jenkins.io/doc/pipeline/steps/http_request/ and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html

•  Audit log. Our CI Plugins rely on your CI Platform for this kind of logging. See: https://plugins.jenkins.io/audit-log and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html

•  Application log. Our Ci Plugin write XML cloned as plain-text in the current CI Workspace, using slf4j. Further the application log is written in the standard CI Console Output

•  Access log. See https://wiki.jenkins.io/display/JENKINS/Access+Logging and https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html

•  Vulnerability detection log. Two Vulnerability logging ways are provided: Inside Application log (see above) and a separate XML log in the current CI Workspace, using slf4j

The above logs are customizable according the customer needs.

Anchor
languages languages

Supported Programming Languages

...

C#, Vb.NET, VB6, ASP, ASPX, Java, JSP, JavaScript (client side & server side), TypeScript, Java Server Faces, Ruby, Python, R, GO, Clojure, Groovy, Flex, ActionScript, PowerShell, Rust, LUA, Auto-IT, Rust, HTML5, XML, XPath, C, C++ (see C/C++ Options), ESQL/C, PRO*C, PHP, SCALA,, IBM Streams Processing Language, Shell (bash, sh, csh, ksh), BPMNPerl, BPELJulia, PowerBuilderLUA, COBOL (see COBOL Options), JCL, RPG, PL/I, ABAP, SAP-HANA, Adabas NATURAL, Terraform, CloudFormation, Ansible Tasks, github Actions, Dockerfile, Kubernetes, DTSX, Oracle BPEL and BPMN.

Mobile: Android Java, Android C++ SDK, Kotlin, Objective-C, Objective C++, Swift (including templates). . Support for 47 Mobile Development Frameworks: https://en.wikipedia.org/wiki/Mobile_app_development

SQL Dialects: PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, Adabas SQL, IBM Datastage, ANSI SQL, IBM DB2, IBM Informix, IBM Netezza, SAP Sybase, Micro Focus Vertica, MySQL, FireBird, PostGreSQL, SQLite, MongoDB, Hibernate Query Language, Hadoop PL, HiveQL, CockroachDB, ADABAS, NonStopSQL .

NoSQL. MongoDB, CouchDB, Azure Cosmos DB, basho, CouchBase, Scalaris, Neo4j, InfiniSpan, Hazelcast, Apache Hbase, Dynomite, Hypertable, cloudata, HPCC, Stratosphere, Amazon DynamoDB, Oracle NoSQL, Datastax, ElasticDB, OrientDB, MarkLogic, RaptorDB, Microsoft HDInsight, Intersystems, RedHat JBoss DataGrid, IBM Netezza, InfiniDB, BigMemory, GemFire., Accumulo GigaSpaces, SAP Hana, Couldera, memBase, simpleDB, redis, cassandraApache Cassandra, GraphQL.

Mobile DB. SQLite, eXtremeDB, FireBase, Cognito, Core Data, Couchbase Mobile, Perst, UnQlite, LevelDB, BerkeleyDB, Realm Mobile, ForestDB, Interbase, Snappy, SQLAnywhere.

Low Code: Appian BPM andSAIL, ServiceNow Client-Side/Server-Side/Glide/Business Rules/Jelly, UIPath RPA, Microsoft Flows and PowerApps, Salesforce Oracle Application Express (APEX), Siebel eScript, Svelte, Camunda, Salesforce APEX, BMC-EngageOne Enrichment (formerly Pitney Bowes StreamWeaver).  

Containers: Dockerfile Security vulnerabilities and Best Practicesand Best Practices, Kubernetes misconfigurations, Ansible Tasks

Cloud: Terraform, CloudFormation, Microsoft Azure, Google Cloud, Amazon AWS, Oracle Cloud OCP, CloudStack, OpenStack, DigitalOcean

Supported Libraries and Frameworks (Static Analysis): 

JAVA: 146 Frameworks

https://en.wikipedia.org/wiki/List_of_Java_Frameworks

...

https://github.com/Microsoft/dotnet/blob/master/dotnet-developer-projects.md

Scala: 52 Frameworks (Accord, Akka, AnalogWeb, argonaut, Avro4s, Binding.scala, Chaos, Chill, Circe, Colossus, Dupin, Finagle, Finatra, form-binder, fs2, Gatling, Https4s, json4s, Kafka, Korolev, Lagom, Lift, MacWire, Monix, Monkeytail, MoultingYML, mPickle, Octopus, Pickling, Play, RxScala,  Scalatra, ScalaCheck, scala-oauth2-provider, Scala-CSV, SecureSocial, ScalaPB, Scala.Rx, Scalaz, scodec, scrimage, Scrooge, Skinny, Spark,, Spray, spray-json, sttp, Udash, Veto, Widok, Xitrum, youi)

PHP: 35 Frameworks https://en.wikipedia.org/wiki/Comparison_of_web_frameworks#PHP plus Smarty, ESAPI, Wordpress, Magento, TWIG, Aura, Drupal, TYPO3, Simple MVC, Slim, Yii2, PHPixie, celestini, SeedDMS.

JavaScript: 55 Frameworks (activeJS, Agility, Alpaca, Amplify, Angles, angular.js, AnnYang, Backbone.js, batman, CANjs, cappuccino, choco, conditioner, connect, cycle.js, D3, Dojo Toolkit, dopamine, eyeballs, EMBER, Epistrome, ExtJS, Express, Famo.us, feathers, GIFjs, GridForm, Hapi, introJS, Ionic, joint, JQuery, jwaves, jReject, KendoUI, KnockOut, Koa, Kraken, Locomotive, maria, meteor, MidWay, mochiKit, MooTools, node.js, OpenUI5, Parallax, PlastronJS, Polymer, qooxdoo, qUnit, React, RequireJS, Sails, sammy, Socket.IO, script.aculo, serenade, snack, SnapSvg, somajs, sproutcore, stapes, SVG, togetherJS, UIZE, underscore, vue, YUI3)

TypeScript: 12 Frameworks  (Angular, Express, Ionic, Loopback, Meteor, NativeScript, Nest, plottable, React, Redux, Stencil, WebPack(Accord, Akka, AnalogWeb, argonaut, Avro4s, Binding.scala, Chaos, Chill, Circe, Colossus, Dupin, Finagle, Finatra, form-binder, fs2, Gatling, Https4s, json4s, Kafka, Korolev, Lagom, Lift, MacWire, Monix, Monkeytail, MoultingYML, mPickle, Octopus, Pickling, Play, RxScala,  Scalatra, ScalaCheck, scala-oauth2-provider, Scala-CSV, SecureSocial, ScalaPB, Scala.Rx, Scalaz, scodec, scrimage, Scrooge, Skinny, Spark,, Spray, spray-json, sttp, Udash, Veto, Widok, Xitrum, youi)

PHP: 35 Frameworks https://en.wikipedia.org/wiki/Comparison_of_web_frameworks#PHP plus Smarty, ESAPI, Wordpress, Magento, TWIG, Aura, Drupal, TYPO3, Simple MVC, Slim, Yii2, PHPixie, celestini, SeedDMS.

JavaScript: 58 Frameworks (activeJS, Agility, Alpaca, Amplify, Angles, angular.js, AnnYang, Backbone.js, batman, bootstrap, CANjs, cappuccino, choco, conditioner, connect, Cordova-Phonegap, cycle.js, D3, Dojo Toolkit, dopamine, eyeballs, EMBER, Epistrome, ExtJS, Express, Famo.us, feathers, Flutter for React, GIFjs, GridForm, Hapi, introJS, Ionic, joint, JQuery, jwaves, jReject, KendoUI, KnockOut, Koa, Kraken, Locomotive, maria, meteor, MidWay, mochiKit, MooTools, NestJS, NextJS, node.js, OpenUI5, Parallax, PlastronJS, Polymer, qooxdoo, qUnit, React, RequireJS, Sails, sammy, Socket.IO, script.aculo, serenade, snack, SnapSvg, somajs, sproutcore, stapes, SVG, togetherJS, UIZE, underscore, vue, YUI3)

TypeScript: 14 Frameworks  (Angular, Express, Flutter for React, Ionic, Loopback, Meteor, NativeScript, Nest, Next, plottable, React, Redux, Stencil, WebPack)

Kotlin: 17 Mobile Frameworks (Anko, ararat, blue-falcon, CodenameOne, Flutter for Android, Ionic, kotgo, kotlin-core, Kotlin Multiplatform Mobile, Kotson, Lychee, NativeScript, React Native, rx-mvi, Splitties, themis, Xamarin), 10 Web Frameworks (HexaGon, Javalin, Jooby, Ktor, Kweb, Spark, Spring Boot, Tekniq, Vaadin-On-Kotlin, Vert.x for Kotlin)

Ruby: 25 Frameworks https://en.wikipedia.org/wiki/Comparison_of_web_frameworks#Ruby plus Cuba, Grape, Hobo, Ramaze, Raptor, pakyow, Renee, Rango, Scorched, Lattice, Vanilla, Harbor, Salad, Espresso, Marley, Bats, Streika, Gin, JRuby.

Mobile: support for 47 Mobile Development Frameworks: https://en.wikipedia.org/wiki/Mobile_app_development

...

Security Go: 19 Frameworks (Beego, Buffalo, Echo, FastHTTP, Fiber, Gin/Gin-Gonic, Gocraft, Goji, Gorilla, Go-zero, Iris, Kit, Kratos, Mango, Martini, Mux (HttpRouter), Net/HTTP, Revel, Web.go)

Machine Learning

Security Reviewer service uses machine learning algorithms to feed off the hundreds of millions of anonymous audit decisions from Security Reviewer experts. These decision models are actively used and developed for Cloud Reviewer, but are also technologies that can be automatically applied on-prem to Static Reviewer results.

Static Reviewer analysis is divided in two steps:

...

Parameters: Parameters in Naive Bayes are the estimates of the true distribution of whatever we're trying to classify. The variables your algorithm is trying to tune to build an accurate model..

Classifier: Classifiers are also referred to group of attributes. .

...

Security Reviewer uses Blockchain to publish anonymous Effort Estimation data, under permission of voluntary organizations using our products, through Consensus Algorithms. It maintains a repository of data from numerous organizations' completed software projects. In particular, the repository has provided research data on several topics, including APPW metrics, COCOMO, COSMIC, SLOC, LLOC, WMC, Cyclomatic Complexity, Technical Debt, Function Points, Country, Industry, Application Type, Project duration, and Cost estimation. A software benhmarking experiment performed by Security Reviewer determined whether using anonymous data provides any valuable information to an organization. The organization's completed projects are compared to similar projects in a Blockchain to establish averages for the organization and the industry as a whole. A critical aspect of the repository is confidentiality. Each organization is represented by a code (for example, “contributed by Organization X”) so that Security Reviewer can identify projects without revealing the organization itself. Codes are not available to the public.

CI PLUGINS

Security Reviewer Static Analysis

Security Reviewer Static Analysis provides Code Inspection advanced features both a desktop version and native Jenkins or Bamboo Plugins as well as CLI Interface. including thresholds, charts and the ability to view the Security vulnerabilities hidden in your source code, directly in your Jenkins or Bamboo web interface.

...