Cloud Reviewer Saas is an all-one Cloud-native application security suite platform, multi-tenant, fully managed and provisioned as a service. It is able to analyze 3rd parties' libraries and open source components (SCA), Source Code-Static (SAST) and Endpoints-Dynamic (DAST), with complete management of vulnerabilities found, False positives, Multi-format Results (PDF, Word, Excel, CSV, JSON, XML, SARIF), Fully ISO 9001-Compliant Custom Reports. Mobile binary analysis (MAST) and Firmware Analysis are also available in the Enterprise version.
Our SaaS service has two targets:
Italian Government Institutions
International Enterprises and Institutions
Main Topics
Application Security Posture Management
OuR SaaS provides a complete Application Security Posture Management (ASPM) platform, based on online version of our Team Reviewer product.
Cloud Reviewer provides a unified interface for accessing all our tools, an effective vulnerability discovery, management & tracking, by continuously identifying threats, monitoring changes in your applications, fully integrated to your DevOps, discovering and mapping all your software changes and reviewing configuration details for each asset.
See Cloud Reviewer-Team Reviewer Integration Checklist.
Allow your developers, security engineers, team leads or managers have access to what they need.
Show isolated data to each user’s profile to make sure you keep everyone updated.
Use our CLI to bring security operations closer to development and DevOps teams and prevent overloading your security teams.
Benefits of ASPM include:
Real-time visibility into an organization’s application landscape to find vulnerabilities, misconfigurations, and other threats more readily.
Prioritizing security risk through detailed contextual information extracted from previously siloed security tools. Teams can then respond more quickly to incidents than manually inspecting alerts generated by each solution.
Enhanced remediation with greater context and root-cause insights teams can readily locate and triage security issues across platforms.
Improved productivity by automating workflows and security assessments that yield actionable insights, allowing more time spent on core tasks and goals.
Cost and reputational savings from finding and fixing security issues before they result in breaches.
SAST
Scans uncompiled code and doesn’t require complete builds. Sets the new standard for instilling security into modern development.
An application can be made of different Programming Languages.
Cloud Reviewer recognizes all programming languages that are composing the analyzed app, as well as the Dominant Language (i.e. the Language with higher LOC).
You can drill-down to Findings details:
A Custom Reporting feature is available.
DAST
With Dynamic Reviewer DAST Safe-PenTest module, you can inspect your web application as Blackbox during running, no need to backup your data. Whitebox mode is also available. Dynamic Reviewer detects vulnerabilities, show the Exploits, but doesn’t apply them. It also detects Client-side vulnerabilities.
Each Finding can explored in details:
A Custom reporting feature is available.
SCA
SCA (Software Composition Analysis) identifies project dependencies on 3rd-party components. SCA will automatically determine if those components have known, publicly disclosed, vulnerabilities as well as licenses-related issues
You can drill down to details:
A Custom reporting feature is available.
SaaS Plans
Pay-per-Scan. Small activation fee and pay a best-price fee for each SAST, DAST, SCA scan. Suitable for small organizations. 1 User. No LOC limits. Each customer has its own private space. Standard Support.
Professional: Pay-per-User. Starting package of 5 Users, 1 year subscription, unlimited SAST, DAST, SCA scans, unlimited Apps-Products, unlimited LOC. For each customer a separate Server is provided. Standard Support. With an additional fee you can add Gold Support to the subscription.
Developer. Professional (Pay-per-User) + IDE and DevOps integration. Access to our SaaS directly from your preferred IDE and your preferred CI/CD Platform.
Enterprise. Unlimited Users. yearly subscription, Unlimited SAST, DAST, SCA scans, Unlimited Apps-Products, Unlimited LOC, Unlimited Repositories. Additionally you can add Mobile Reviewer and /wiki/spaces/KC/pages/131110 in SaaS mode. Standard and Gold Support
For detailed information about Support, please refer to: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/2442100737/Support+Maintenance
DevOps integration
You can integrate Cloud Reviewer in your DevOps, using the Remote Scan, IDE Integration and GitHub Integration features.
Remote Scan - CI/CD Integration
Server-side scan can be ame using our CLI interface and our Jenkins plugin, GitHub and GitLab actions. In case of SAST, your code is encrypted with AES-256 and sent to the Server via TLS 1.3. At Server-Side it will be decrypted in an anonymous encrypted folder and stored during the scan time only, and safely removed at the end.
IDE Integration
While application security is a critical priority for development teams, managing security testing within an integrated development environment has often been a significant challenge. Developers who are pressing to meet deadlines in agile or waterfall software development processes are often already managing a variety of separate tools. To improve application security, Cloud Reviewer offers a suite of desktop, web and mobile app security testing solutions in a SaaS-based service that can be seamlessly combined in an integrated development environment to find and fix flaws at any point in the SDLC. Visual Studio, Eclipse and Android Studio integration is provided.
GitHub and GitLab Integration
In case you have your code stored in GitHub or GitLab repositories, we offer full integration, the scan will be made on-the-fly with no need to clone the repo.
Advantages
Saas solution offers:
Flexibility: you can choose a Plan based on your initial needs and increase it in case of necessity.
Scalability: you don’t need to increase your IT infrastructure, we provide you all the necessary storage and performance when changes in increased workloads are required.
Accessibility: Every time from everywhere.
Availability: uptime of the application over 98%.
Reliability: 99 percent success rate in transactions completed to the database.
Cost saving: No needs of an IT infrastructure. it does not require any initial investment and allows the OPEX to be supported only on the basis of specific needs of the moment. No time/money spent in products installation/configuration/update.
Security: Assurance of maximum Security compliance based on SLA. Security Reviewer places the utmost importance on data security. We handle your data in compliance with the most important Standards and Regulations regarding Privacy and Data Protection. For more information on what data is managed, what are the rules by which we access and transfer and store your data, data encryption, SOC2 compliance, regulatory requirements, and the response to data breach or security threat, please refer to our Security and Compliance Policy.
Privacy: When Enhanced Code Security is applied, your source code never leave your infrastructure
Code Security
You have three options:
Standard: In the Folder mode, you submit your zipped source code via TLS 1.3. During upload, it will be AES-256 Encrypted and stored server-side in an encrypted folder. Finally, it will safely removed at scan end. After scan completion, you can drill down to your Findings as well as the few lines around the vulnerable code (n. of lines is configurable).
GitHub integration: You can also pull the code from a private GitHub Repository. The scan will be executed on-the-fly, without downloading your source code or cloning the repository outside your GitHub workspace. GitHub integration is set up for your own User account, not for an Organization. GitHub integration settings apply to all Organizations associated with your User account but do not automatically apply to other user accounts in an Organization.
Enhanced: The Static Reviewer Local Analyzer is the local solution for your code analysis.
With this tool, you can analyze your source code without uploading it to our cloud or anywhere that might be deemed unsafe.
Only the results of the analysis are shown in the dashboard. The source code will be pre-processed using a downloadable Desktop App (Static Reviewer Local Analyzer) and only the raw results will be encrypted with AES-256 and transmitted via TLS 1.3. In the dashboard, Reports and Findings will only show few lines around the vulnerable code (n. of lines is configurable). Your source code will never leave your PC.
Datacenters SLA
ITALIAN GOVERMENT INSTITUTIONS
Italian Global Cloud Data Center (IT3) - DC-A
In collaboration with 5M Informatica, Cloud Reviewer is under Qualification as official Cloud Service of QC1 level.to Italian National Cybersecurity Authority (ACN). The Qualification simplifies, regulates and makes more secure the acquisition of cloud services by Public Administrations, in line with the indications of the National Cybersecurity Strategy. It guarantees adequate levels of security for Public Administration’s services and data, progressively increasing the quality and reliability of cloud service providers. The path enables a migration to the cloud, consistent with the classification of data and services and ACN's security and qualification requirements, helping to progressively reduce cyber-attacks.
cloudreviewer.it service is reserved to Italian Government Institutions, with the same high-quality services described above, but in a different Data Center infrastructure, located in Bergamo (Greater Milan Area), handled by Aruba Networks IaaS Provider, official ACN Cloud Infrastructure provider (IN-56).
The Global Cloud Data Center is the largest data center campus in Italy, with a surface area of 200,000m2 in Ponte San Pietro (BG), just a few minutes from Milan. All facilities have been designed and built to meet or exceed the highest levels of resilience, in accordance with ANSI/TIA-942 Rating 4 requirements and the ISO 22237 standard, the international benchmark standard for the entire life cycle of a data center, from strategic conception to building and operation. At the IT3 Data Center, traffic can be exchanged with all the operators on the Milan Internet eXchange in Milan, thanks to the MIX Point of Presence.
It is composed by:
Dedicated Servers only
Servers Hardware Brand: HP
Rating 4 (former Tier 4) ANSI/TIA 942-B-2017
Maximum logical and physical security with armed surveillance 24/7 and 7 levels of access
Anti-sismic and hydrogeological risk-proof
Up to 60MW of power
Self-produced hydroelectric and photovoltaic energy
Double multi-modular power center with UPS boasting 2N + 1 redundancy
Made-to- measure power of up to 40kW per rack
Redundant emergency generators with 48-hour full-load autonomy without refuelling
Data hall made entirely of firewalls and ceiling with double insulation
Carrier neutral data center with optional managed connectivity
Made-to-measure colocation solutions: from rack units to a dedicated data center
Storage and office space available to customers
See the Data Center datasheet with Certification and Compliance.
See the Data Center Racing Team Certifications.
INTERNATIONAL ENTERPRISES AND INSTITUTIONS
European DataDock in France, Germany and UK
cloudreviewer.net SaaS service is provided to Europe, Africa & Middle East Enterprises and Institutions seeking for an high-quality SaaS service for SAST, SCA, DAST and Vulnerability Management, as described above.
French DataDock and other 4 Data Centers in UK (London) and Germany (Munich, Nuremberg) have been in planning since 2003 and first became operational in 2010. The primary aim was a certain energy efficiency, to reduce both environmental impact and also operating costs. With the integration of a unique well-cooling into the data center concept, energy consumption can be kept so low that it has been acclaimed the greenest data center in Europe.
Privacy and Control over Data
As Europeans we understand the importance of Data Protection and Privacy. Our IaaS Providers are not only 100% GDPR compliant, but also the entire companies are organized in such a way that you retain the maximum control over your data. We respect your privacy and that's why unlike some of our competitors we don't collect data on what runs on Dedicated Server instance.
IaaS Providers: Contabo and Server4You
Fully redundant MPLS ring structure with a total capacity of 550 Gbit/s
Backbone connects the data center on one path directly with Frankfurt, as well as on another redundant path over Paris and Brussels
All data is delivered to the Internet with optimal performance and accessibility
66% less power consumption for the data center infrastructure, when compared to the average data center
25% less overall energy consumption
Electrical supply: Transformers, low-voltage mains distribution, UPS components and generators each with n+1 or 2n+1 redundancies
Cooling: Well systems, pumps and cooling circuits each with n+1 or 2n+1 redundancies
Auditing: Highest attainable rating of five stars in 2013 from Datacenter Star Audit (DCSA)
Core backbone Frankfurt-Strasbourg: 100 Gbit, Deutsche Telekom: 17x 10Gbit, Level(3): 10x 10Gbit, TeliaSonera: 8x 10Gbit, Cogent: 5x 10Gbit, Telefónica: 3x 10Gbit, DE-CIX: 6 x 10Gbit, ECIX: 6 x 10 Gbit
Only Brand New Hardware
Our IaaS Providers only use brand new enterprise-grade hardware from trusted brands. Dedicated servers are built in cooperation with Dell, HPE, AMD, and Samsung.
US East, West and Central
For North, Central and South American Enteprises and Institutions, cloudreviewer.com provides the same services described above, located in the US East (New York), US West (Seattle) and US Central (St. Louis).
They became operational in 2013 and is currently considered one of the most modern data centers worldwide. It stands out particularly for its strategically optimal location in the heart of the USA, has connectivity to all major carriers and sits directly on the main artery of the American network.
They are located in New York, Seattle and St. Louis, with best connectivity for both the East and the West Coast
Fastest route is always selected automatically
Completely redundant layout: Upon loss of one carrier, the system rapidly switches to another backbone
Availability is permanently maintained
Space: 14,000 sq ft
Capacity: 2MW generator, UPS-protected
Cooling: 17x 30 ton CRACs = 510 tons total cooling capacity, redundant cooling loop
Audited in accordance to SOC2 (Security Operation Center)
Cogent: 6x 10Gbit (+ further 10x 10Gbit available), TeliaSonera: 6x 10Gbit
Asian Data Centers
cloudreviewer.biz is provided to Eastern Countries, for Enterprises and Institutions seeking for an high-quality SaaS service for SAST, SCA, DAST and Vulnerability Management, as described above.
Our Services are hosted in Tier 3 & Tier 4 Data Centers, located in:
Sidney (Australia). IaaS Provider: Contabo
Tai Seng (Singapore). IaaS Provider: Contabo
Tokio (Japan). IaaS Provider: Contabo
From Asia fast connectivity is guaranteed to Europe and US:
Low latency is guaranteed for Japan, China, Korea and Beyond
Premium Connectivity is also guaranteed throughout Australia and New Zealand:
All above Data Centers offer the same high-level standards, like:
Redundant Power Supply
Redundant Internet Connection
Redundant Cooling
Physical Security
Energy Efficiency
365-days/year People On The Ground
Certifications:
BCA-IMDA Green Mark Gold
ISO/IEC 27001:2013
ISO/IEC 20000-1:2011
OC1 Type2 (SSAE18)
ANSI/TIA-942-B Rated-3
PCI DSS