Security Reviewer Static Analysis and Software Composition Analysis license policies are for unlimited users, unlimited clients, unlimited servers, unlimited analyses and unlimited lines of code. Only you have to specify the IP range on which Security Reviewer will run. Buying unlimited licenses includes 1 year of support and maintenance. Additional support and maintenance years must be purchased separately. Special prices will be applied for 3 years or more of additional support and maintenance. A special bid for a limited scans (50, 100 per year) exists only for Static Analysis Desktop Edition. See: Code Inspection or Software Composition Analisys Analysis FAQ below.

We provide a basic Support contract of 8x5, and Glod Gold or Premium of 24x7. Maintenance is always provided with a monthly release update. Patching (part of maintenance) is done for bug fixing with a response time of 8-48 hours for Basic Support and 3-8 hours (3 hours for High, 5 hours for Medium, 6 hours for Normal and 8 hours for Low priority) for Premium support. For further SLA details, please ask to your preferred Reseller

See Languages

Many virtualization platforms are supported in different ways, depending on Editions (see Code Inspection FAQ below):

• Virtual Desktop Edition is used via SaaS via online VDI platform, based on VM

• Server Edition can have a WCF Service running in a VM

• REST API Edition as SaaS based on VM

• Developer Edition can run scan task remotely in a VM

Desktop Edition cannot run on a local VM

We guarantee the deployment of your Change Requests in about 48 hours and your Feature Requests developed during next 30 working days. We are committed to help our clients reaching their goals, to personalize their Secure Review experience, to provide an innovative environment, and to make the difference. Once you are a Customer of ours, feel free to ask what you need and you will get it for free! Your enhancement request will be inserted in the product roadmap and delivered to you soon!

The best way to submit an enhancement request for your Security Reviewer product is to go to https://www.securityreviewer.net/support. Select the product in which you are interested and the related section. Otherwise you can send you request via email to info@securityreviewer.com

The benefit of posting your suggestion on the Support site is that you “own” it. You will be notified by email of all replies and you will be the “thought leader” for the idea. Other users can see that the enhancement request is your idea, and you can lead the conversation in a way that will make your request compelling to Security Reviewer. Other users can “vote” on your idea and you can “campaign” for votes for your idea. Other users may also suggest a workaround or another way that you can accomplish your objective.

Security Reviewer’s Product Management reviews the submitted requests regularly, and you should see a reply within two o threee three days.

For all the reasons above, posting and socializing your request on the Support site is the most productive and informative place to open an enhancement request.

We confirm that no additional costs are required for new available features during your support contract. New features may involve:

• New supported OS

• New supported languages

• Enhanced products' features

Further to our Continuous Integration (CI) (see related FAQ) and IDE Plugins, the following Editions are available:

• Desktop Edition. All features are provided by this Windows Desktop app, SQALE Dashboard and CLI Interface are Included. It is installed on premises and provides both Unlimited and Limited (50, 100, etc.) scans/year.

• Virtual Desktop Edition. All features are provided by this Remote Desktop app, running on Windows, Mac OSx and Linux. SQALE Viewer is Included.

• Developer Edition. Choose one of IDE plugins you want, and you can scan, view results and create reports directly inside your IDE. Windows only.

• Server Edition. Desktop Edition additional module. Shares It shares configurations, False Positives, Exclusions, Results and even encrypted source code between Desktop Editions.

• REST API Edition. A Java CLI Interface run scans, check scan progress and download Results from a REST API on-premises Server

Desktop Edition

Windows

      Microsoft®Windows 10 Professional or Enterprise (Home version not supported), Windows 2008 R2 Server or newer (Windows 2012 R2, Windows 2016, Windows 2019 and Windows 2019 2022 included). 

64 bit environment is suggested for better performances.

      Microsoft®Office 2010 or newer installed (for reporting)      .NET Framework 4.7.2 redistributable .NET core 5 preinstalled with offline installer.

      Oracle JDK 1.8 or Oralce 11 preinstalled. For further details, please refer to the related chapter below      Python 3.8 or newer preinstalled

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Linux

       Centos Linux 7.x or 8.x; or newer, Ubuntu 16.04 or higher, Debian 9 or higher, Fedora 30 Oracle Linux 7.x or 8.x, Fedora 21 or higher, RedHat 7.x or higher8.x

      64bit environment is mandatory

      Oracle JDK 1.8 preinstalled. It won’t run with OpenJDK

      Python 3.6 or higher.6 or higher

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

macOS

       64-bit 10.x Sierra or newer

.NET core 5 preinstalled with offline installer.

      Oracle JDK 1.8 or Oralce 11 preinstalled. For further details, please refer to the related chapter below

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Virtual Desktop Edition

Host System: Microsoft®Windows , Mac OSX or Linux. No particular configuration is suggested. The application runs in a remote Windows Server. If you need that Server on your premises, it needs the same configuration of Server Edition

Developer Edition

Same configuration of Desktop Edition, with one of IDE Plugins installed.

Server Edition

Windows: Windows 2008 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). .NET Framework 4.8 redistributable preinstalled. IIS 7.5 or newer for WCF

Linux:

• Centos 7/8

• Ubuntu 16.04/18.04/19.04/19.10/20.04 both server and desktop

• Debian 9 or higher

• Fedora 21 or newer

• Oracle Linux 7.x or 8.x

• SuSE Linux Enterprise 12 or newer

• RedHat RHEL 7.x or newer8.x

Mac:

• Mac OSx macOS 10.11 “El Capitan” x Sierra or newer

JDK 1.8 or newer JDK 11 preinstalled.

Minimum RAM required by Host System.

REST API Edition

Same configuration of Server Edition with additional Apache Tomcat 9 installed.

See Our Indipendent Independent Advisors Network

When a Security Vulnerability is detected, a number of detailed Attributes is provided.

See this video:

Legend:

Q. Can Static Analysis provide per-component results?

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results by Component, Outsourcer and/or Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

Q. When Analysis ends, is there a notification service?

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Q. Which Analysis results output formats are supported?

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Responsibility Chain.

Q. May I suppress a vulnerability?

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports. See False Positives and False Negatives

Q. In Static Analysis, may I create custom Security Rules?

You can exclude some Security Rules from the Static Analysis, between the ones available, or you can create new Security Rules using the Cigital Digital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Q. Which Development IDE are supported?

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. Do not require additional resources.

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. If you need to improve users, clients or servers number, you must change your own infrastructure, it does not affect the CI plugins configuration and there are no additional costs

When a product is purchased, for each product the following manuals are provided: Solution Overview, Installation Manual (includes Troubleshooting), User’s Manual (includes Release Updates and Patching procedures as well as OWASP Dependency Track user’s guide), IDE plugin manual, REST API interface manual, SonarQube Plugin manual, TrìhredFix ThreadFix Integration manual, CLI Interface manual. Such manuals will be updated together when a new Release will be available

Virtualization does not affect the CI plugins configuration and there are no additional costs. Our CI plugins rely on Jenkins and Bamboo Infrastructure to run. Anyway, our solutions has been tested on VMware vSphere/ESXi, Oracle VirtualBox, Microsoft HipervisorHypervisor, Red Hat Enterprise Virtualization and KVM virtual machines

Please refer to Infrastructure page for further information

Please refer to Infrastructure page for further information

Our CI Plugins support Logging. See available Logging options

Our CI Plugins rely on your CI Platform Infrastructure. It has been tested with Docker, Kubernetes, OpenShift and with a number of APPC-compliant container platforms. No special Dockerfile is needed

See Our Indipendent Independent Advisors Network

Your Library/Framework can be clean today, but vulnerable tomorrow. For continuosly continuously monitoring, we provide a Maven Plugin for Sonatype Nexus Repository and JFrog Artifactory systems. The Maven plugin can be executed inside your CI Platform as a build task and, further than against a repository, a folder in a Network File System can be periodically analyzed using the same plugin

Yes. We support Jenkins and Bamboo pipelines natively. For other CI Platforms, our CLI Interface is multi-thread and pipelines-ready by design. See Infrastructure for a list of tested CI Platforms

Our CI Plugin rely on your CI Platform Infrastructure. It is up to you installing separate CI environments at your site, with no additional costs

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Responsibility Chain.

You can exclude some Security Rules from the Static Analysis, between the ones available and you can create new Security Rules using the Cigital Digital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Firmware Reviewer executes both Static and Dynamic Analysis. After extracting the bootloader and file system from the image, the Static Analysis consists on executing a Task List, which includes checking of OS, system libraries, 3rd-party libraries, executables and scripts against CVE and Exploit databases to find known vulnerabilities. Scripts source code is also submitted to Security Reviewer’s SAST module to verify OWASP, WASC and CWE vulnerabilities checks. It will reveal also Visible configuration, IPs, e-mails, URIs, Visible Services, Unwanted Programs, and Compliance Issues. Dynamic Analysis consists in Device Emulation and in applying attacker patterns to the firmware image. Dynamic Analysis execute also Hardening Compliance test and other tests like Malware Scanning, using an embedded version of Metaesploit against our own collection of rules. See Malware related question below.

Firmware Reviewer Emulate a device using an our own enhanced version of QEMU. For complex firmwares firmware it can execute a Partial emulation (bootloader and init system) and install a /wiki/spaces/KC/pages/1455980582 in the firmware bootloader, in order to manage encrypted firmware and gain access to login credentials. It will increase the Dynamic Analysis comprehensiveness and accuracy.

Firmware Reviewer makes use of Security Reviewer’s SAST native module to analyze source code found inside the firmware image: shell scripts, python, php, lua, javascript, etc. in order to verify OWASP, WASC and CWE vulnerabilities checks.

You can execute Firmware analysis of the new version, and use Firmware Reviewer’s Compare feature to discover new or fixed vulnerabilites vulnerabilities between the two versions.