Team Reviewer provides an effective vulnerability discovery , management & tracking, by continuously identifying threats, monitoring changes in your networkapps, discovering and mapping all your devices and software — including new, unauthorized and forgotten ones —, and reviewing configuration details for each asset.
Team Reviewer is a safety plan in addition to vulnerability management tool. It allows y'all to deal your application safety program, hold production in addition to application information, schedule scans, triage vulnerabilities in addition to force findings into defect trackers. Consolidate your findings into source of truth amongst Team Reviewer.
...
Central Repository
Team Reviewer has the ability to maintain its own repository of internally managed discovered vulnerabilities (findings). The private repository behaves identical to other sources of vulnerability intelligence such as the OSS Index, VulnDB, NVD, etc.
...
Multi-language Kit is available for localization.
Direct execution of all features provided by Security Reviewer Suite (SAST, DAST, SCA, Mobile, Firmware)
Extended Workflow and Reporting features, GDPR Compliance Level included
Performant database, based on MariaDB 10.x Galera cluster. It can be changed to Oracle RAC 12 or any other Supported Relational Database
Secured Source code and Operation platform, due to an accurate Static Code Review and Dynamic Analysis made by Security Reviewer and Dynamic Reviewer tools
Encryption of DB Tables containing sensitive data (Users, Groups, Applications, Workflow, Policies, etc.)
Enhanced support for third-party SAST, SCA, IAST, DAST and Network Scans tools.
Mobile Behavioral Analysis integration (Mobile Reviewer)
Software Composition Analysis (SRASCA) integration
Software Resilience Analysis (SCASRA) Integration
Firmware Reviewer Azure Active Directory Single Sign On
SQALE, OWASP Top Ten 20172021, Mobile Top Ten 2016, CWE, CVE, WASC, CVSSv2, CVSSv3.1 and PCI-DSS 4.0/3.2.1 Compliance
Application Portfolio Management tools integration
...
Reports
Team Reviewer stores reports generated with:
...
Reports can be generated for:
Groups of Products
Individual Products
Endpoints
Product Types
Custom Reports
...
Filtering is available on all Report Generation views to aid in focusing the report for the appropriate need.
Custom reports allow you to select specific components to be added to the report. These include:
Cover Page
Table of Contents
WYSIWYG Content
Findings List
Endpoint List
Page Breaks
The custom report workflow takes advantage of the same asynchronous process described above
...
Static Reviewer, Security Reviewer Software Composition Analysis (SCA), Security Reviewer Software Resilience Analysis (SRA), Mobile Reviewer and Dynamic Reviewer XML or CSV
HCL AppScan Source ed. and Standard ed. detailed XML Report
Micro Focus Fortify SCA and WebInspect FPR
CA Veracode Detailed XML Report
Checkmarx Detailed XML Report
Rapid7 AppSpider Vulnerabilities Summary XML Report and Nexpose XML 2.0
Acunetix
Anchore
AQUA
Arachni Scanner JSON Report
AWS Prowler and Scout2
Bandit
Synopsys BlackDuck
Brakeman
BugCrowd
Contrast
ESLint
GitLab SAST
GitLeaks
GOast
GOSec
HadoLink
HuskyCI
ImmuniWeb
JFrog XRay
Kiuwan
Burp Suite XML
Nessus (CSV, XML)
NetSparker
NExspose
NPMAudit
OpenSCAP
OpenVAS
PHP Symphony Security Check
Nmap (XML), SQLMap, NoSQLMap (text output)
OWASP ZAP XML and Dependency Check XML
Retire.js JavaScript Scan JSON
Node Security Platform JSON
Qualys XML
SonarQube
Sonatype Nexus
SourceClear
SSLScan
SSLlyze
Snyk JSON
Trivy
Trustwave
PyJFuzz
WhiteSource
WpScan
Generic Findings in CSV format
Team Reviewer can export correlated results to the following tools:
SonarQube
Micro Focus Fortify SSC
Kenna Security
ThreadFix
ServiceNow
...
FPF’s are json files and have the following sections:
Name | Type | Description |
---|---|---|
version | string | The Finding Packaging Format document version |
meta | object | Describes the Dependency-Track instance that created the file |
project | object | The project the findings are associated with |
findings | array | An array of zero or more findings |
SCARF
We adopted a unified tool output reporting format, called the SWAMP Common Assessment Results Format (SCARF). This format makes it much easier for a tool results viewer to display the output from a given tool. As a result, we have fostered interoperability
among commercial and open source tools. The SCARF framework includes open source libraries in a variety of languages to produce SCARF and process SCARF. In addition, we have produced open source result parsers that translate the output of all the SCARF-based tools to SCARF. We continue to work towards tool interoperability standards by joining the Static Analysis Results Interchange Format (SARIF) Technical Committee. As a participating member, we contribute to creating a standardized, open source static analysis tool format to be adopted by all static analysis tool developers.
You can use SCARF Framework yourself using the libraries:
Available libraries | XML | JSON |
---|---|---|
Perl | ||
Python | ||
C/C++ | ||
Java |
SARIF
We are also compliant to OASIS SARIF (Static Analysis Results Interchange Format). Some SDK are available:
...
They are Logging and Auditing file formats and are extensible, text-based formats designed to support multiple device types by offering the most relevant information.
CEF Field Definitions
Field | Definition |
---|---|
Version | An integer that identifies the version of the CEF format. This information is used to determine what the following fields represent. Example: 0 |
Device Vendor Device Product Device Version | Strings that uniquely identify the type of sending device. No two products Dec use the same device-vendor and device-product pair, although there is no central authority that manages these pairs. Be sure to assign unique name pairs. Example: JATP|Cortex|3.6.0.12 |
Signature ID/ Event Class ID | A unique identifier in CEF format that identifies the event-type. This can be a string or an integer. The Event Class ID identifies the type of event reported. Example (one of these types): http |email| cnc| submission| exploit| datatheft |
Malware Name | A string indicating the malware name. Example: TROJAN_FAREIT.DC |
Severity/Incident Risk Mapping | An integer that reflects the severity of the event. For the Juniper ATP Appliance CEF, the severity value is an incident risk mapping range from 0-10 Example: 9. |
External ID | The Juniper ATP Appliance incident number. Example: externalId=1003 |
Event ID | The Juniper ATP Appliance Event ID number. Example: eventId=13405 |
Extension | A collection of key-value pairs; the keys are part of a predefined set. An event can contain any number of key- value pairs in any order, separated by spaces. Note: Review the definitions for these extension field labels provided in the section: CEF Extension Field Key=Value Pair Definitions. |
LEEF also has predefined attributes.
...
Team Reviewer is based on open source software developed by Aaron Weaver (OWASP Defect Dojo Project) COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.