Static Reviewer is the SAST (Static Analysis Security Testing) part of Security Reviewer suite, built on top of the lessons learned through hundreds of thousands of scans performed since 2001, constantly evolving to match new technologies and threats. It is guided by the largest and most comprehensive set of secure coding rules and supports a wide array of languages, platforms, build environments and integrated development environments (IDEs). Compliant with: OWASP, CWE, CVE, CVSS, MISRA, CERT. The Rule Engine with its internal multi-threaded, optimized state machine based on Dynamic Syntax Tree, is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positives.
Static Reviewer and Quality Reviewer, released in the Security Reviewer Suite, are provided both On Premise (Desktop, CI Plugins, Maven / Gradle / SBT / SonarQube Plugins, Ant Taskand CLI Interface tested with many CI/CD platforms) and in Cloud (as Virtual Desktop or REST API Server), as Container (Docker, Kubernetes, OpenShift or any other APPC-compliant), executes code checks according most relevant Secure Coding Standards for commonly used Programming Languages. It offers a unique, full integration between Static Analysis (SAST) and DAST (Dynamic) analysis, directly inside Programmers IDE.
Scans uncompiled code and doesn’t require complete builds. Sets the new standard for instilling security into modern development.
An application can be made of different Programming Languages.
Security Reviewer recognizes all programming languages that are composing the analyzed app.
The analysis will be done automatically. Optionally, you can set the following:
You can change the Audit Date as you want, selecting the proper date in the calendar.
You can exclude source files from the analysis, loading a list placed in plain-text file.
You do not have to rescan the entire code base every time. The incremental scan option will automatically scan only the updated files and their dependencies, reporting both previous and current version issues. A combo box will permit you to choose a previous version for doing the incremental analysis. If a previous version exist, an additional option will be display:
Selecting “New and Changed Files only”, analysis’ results will be focused on new and updated files only.
Choose the Language Set. If your Application is written using more than a Programming Language Set, it will automatically discovered.
If you have SQL scripts in your Application, choose their SQL Dialect
You can choose:
ClassPath. In JAVA, optionally you can have a scan based on “.classpath” files, located in every folder to include, for a faster scan.
Component. If you have APM Pack installed, choosing this option Security Reviewer will analyze your application as you structured it using Component Builder.
Framework – JDK - API Level
In case of .NET source code, if .NET framework cannot be obtained automatically, you can choose which .NET Framework version has been used during development. The same will be done with JDK, API Level (Android) or MFC versions.
Choose a Ruleset on related combo box (Security or Deadcode): OWASP API Security Top Ten 2019, OWASP Top Ten 2017, OWASP Top Ten 2013, OWASP Top Ten 2010, OWASP Mobile Top Ten 2016, OWASP Mobile Top Ten 2014, CWE or your own Custom Ruleset (see related chapter below). If a Mobile app is detected, OWASP Mobile Top Ten 2016 will be automatically set. Dead code analysis will use CWE ruleset only. Further than OWASP and CWE, WASC and CVE will be also detected in every analysis.
Additional Scan Options are provided for better targeting the scan:
</> Source Code options
You can choose how many lines will be show on the screen and reports Before and After the line on which a violation was find.
Set the proper Timeout in seconds to be applied in the pattern search before generating a Warning. For analyzing complex source code, it is suggested to set Warning Timeout to 50 or over.
Enable it your application runs in a Trusted environment. You can choose:
Public Functions (default). You are considering ‘Trusted’ the public functions parameters (console application, dedicated JVM or CLR, dedicated Application Server, etc.)
DB Queries. When results of Data Base Queries have not to be validated
Environment Variables-Properties. When Environment Variables and Property Files are considered affordable (Environment dedicated to system user associated to application)
Socket. When data read as plaintext from a Socket has not to be validated (i.e. read from a local Daemon)
Servlet/WS requests. When Servlet or Web Services requests are considered affordable (for example in case of local servlet or in case of WS-Security)
Apply Exclusion List
If Enabled (default), Exclusion List rules will be applied. If you want to change those rules please refer to related chapter below in this doc.
In order to reduce the number of vulnerabilities to manage, it is suggested to set Max vulnerabilities per line of code to 1 on the first scan, and then, after some remediation task was accomplished, set it to 5. That permits to be focused on priority code interventions for solving the most important vulnerabilities. If SR will find more vulnerabilities in the same line of code, it will consider the one having higher severity.
Enabling No Dead Code for Partial Classes avoid to provides a separate processing for .NET Partial Classes, avoid False Positives on Dead Code issues.
Enable it if you are analyzing an Application exposed to Internet. The rules applied will be more stricted.
If you want to focus your Static Analysis to a specific target browser, select this option. A list of Most important versions of Internet Explorer, Chrome, Firefox, Opera and Safari will be shown:
This will change analysis perspective, focusing on a certain browser vulnerabilities and compatibility issues.
Select this option to generate Attack Vector information during the Scan. This feature will take into account every point-of-vulnerability of the analyzed app.
Select it in case your version has to be considered as baseline. In differential comparison reports, your baseline will be highlighted.
Your current username is set to default on Auditor field. You can change this field before scanning.
In case of C/C++ source code, you can set C or C++ Options. Further than Windows compilers (Visual Studio, JetBrains Rider and Embarcadero), Security Reviewer supports:
Security Reviewer supports the largest number of C/C+ compilers in the market.
For COBOL applications, you can set:
Target COBOL Version. For a precise parsing of the right COBOL Dialect.
Security Reviewer supports the largest number of COBOL platforms in the market.
Secure Code Analysis
Static Reviewer, can run either at Client side or at Server side. You can run it using our Desktop application, Developer's IDE, via command line or using our DevOps CI/CD plugins. Developers can run Secure Code Analysis also at server side via automated integration with our REST API server. See REST API Hardware Requirements for further details.
In case of a medium-large number of users, DevOps CI/CD integration Plugins are suggested. In that case the Secure Code Analysis will run at server side, either on Jenkins Server or Atlassian Bamboo Server. Developers can browse the analysis results either directly on their preferred IDE or or using an internet browser connected to Team Reviewer.
Our Component Builder provides association of a group of source Folders or Files to a Component.
Each Component can be associated to a certain APM Code, Package Code, Outsourcer and Development Team:
With Component Builder, you can create components. Each Component must have a different name:
You can Modify and Delete (Ignore) existing Components.
When launching a new Static Analysis, you can set the Load Type to Component.
Once the Static Analysis is finished, you can view Results associated to one Component, or to ALL Components:
You can mark all Component's Vulnerabilities as False Positives, by selecting the Component and pressing Select All:
otherwise you can select single vulnerabilities or a group of them, by pressing CTRL or SHIFT keys.
The vulnerabilities will be marked with FP=Yes. and the Status will be set to Not An Issue.
You can Suppress (Ignore) ex-post one or more Components:
The Suppress is incremental, you can add new suppressions as you want.
In the next Static Analysis, in a new Application/Version, you can import the Exclusion List text file including all suppressions.
Security Reviewer Suite provides a complete reporting system.
Cover letters are customizable, for ISO 9001 compliance. You can insert your logo, the ISO Responsability chain (Created by, Approved by, Verified By), ISO Template code and Report Confidentiality.
The reports are designed for maximum optimization, for obtaining as small as page number possible.
Custom Rules - Admin Kit
The Security Reviewer Admin Kit allows to add Custom Rules to be executed during the Static Analysis (Security or Dead Code - Best Practices) as well as to change some aspects of Static Analysis Reports.
This can be done in three steps:
Limit access to a single or a group of Security Reviewer features
Add suggestions to reduce False Positives
Add a new Rule to the Security Reviewer’s Rules XML File
Add a new Custom NET Core DLL with implemented Rules to be executed during Static Analysis. This DLL will be added to the related programming Language Engine, using Aspect.NET
Add a Report File for replacing an existing one.
We decide to give a limited access to our Admin Kit, reserved to Certified Users. A typical User can only select group of existing rules to be applied in a specific analysis, or to all analyses.
A Certified User, once purchased the Admin Kit, will receive a 1-day training by us, concerning how to design a custom rule properly.
Personnel using this Admin Kit should have the following Professional Profile:
At least 3 year of experience on using Security Reviewer as Auditor. At least 100 Audits per year are required
At least 5 years of experience in Secure Coding with Microsoft®NET
In-depth knowledge of OWASP and CWE Compliance standards, and CVSS Risk methodology, all applied to at least 5 programming languages
At least 5 years of experience in executing Static Analyses compliant with OWASP Top Ten 2013 or 2017, Common Weakness Enumeration (CWE) 2.9 or newer, Web Application Security Consortium (WASC) and PCI-DSS 3.1 or newer
Developing at least 3 projects for each of 5 different programming languages, during the last 5 years
“Security Reviewer Certified Professional – Master Rule Programming” Certified
Once you created your Rules XML file, you developed your Custom Rules and built your DLL, you must submit them all by launching Security Reviewer – Admin Kit:
You can decide either to share your Custom Rules with the Community, or to reserve those Custom Rules to your company only.
Jenkins and Bamboo Plugins rely on user's infrastructure to run and support the respective platforms.
Using built-in design 9000+ validation rules, during Code Review process it can highlight violations and even suggest changes that would improve the structure of the system. it creates an abstract representation of the program, based on Dynamic Syntax Tree own patented algorithm.
Taint Analysis: Security Reviewer contains its own Machine Learning system that acts on the output of the Hybrid analyzer, that is the in-memory Dynamic Syntax Tree.
Let's start with some definitions:
Features: Features in a Naive Bayes Classifier, or any general ML Classification Algorithm, are the data points we choose to define our input. Specifically, in a Naive Bayes Classifier, the key assumption we make is that these features are independent (they don't affect each other). This assumption may or not be true, but for a Naive Bayes, we assume that it is true.
Parameters: Parameters in Naive Bayes are the estimates of the true distribution of whatever we're trying to classify. The variables your algorithm is trying to tune to build an accurate model..
Classifier: Classifiers are also referred to group of attributes. .
Security Reviewer Machine Learning is based on:
Feature mapping derives simple-structured features from the Dynamic Syntax Tree, and create specifc Classifiers. In the Static Analysis, Features are a huge number of objects that cannot be learned one-by-one. A given Classifier is abstracted as a set of features:
All analyses but the first will automatically remove the useless Classifiers, enahncing the scan accuracy.
Forget about False Positives
The two above mentioned steps guarantee a cleansed analysis output, with almost zero False Positives.
Security Reviewer uses Blockchain to publish anonymous Effort Estimation data, under permission of voluntary organizations using our products. It maintains a repository of data from numerous organizations' completed software projects. In particular, the repository has provided research data on several topics, including APPW metrics, COCOMO, COSMIC, SLOC, LLOC, WMC, Cyclomatic Complexity, Technical Debt, Function Points, Country, Industry, Application Type, Project duration, and Cost estimation. A software benhmarking experiment performed by Security Reviewer determined whether using anonymous data provides any valuable information to an organization. The organization's completed projects are compared to similar projects in a Blockchain to establish averages for the organization and the industry as a whole. A critical aspect of the repository is confidentiality. Each organization is represented by a code (for example, “contributed by Organization X”) so that Security Reviewer can identify projects without revealing the organization itself. Codes are not available to the public.
Security Reviewer Static Analysis
Security Reviewer Static Analysis provides Code Inspection advanced features both a desktop version and native Jenkins or Bamboo Plugins as well as CLI Interface. including thresholds, charts and the ability to view the Security vulnerabilities hidden in your source code, directly in your Jenkins or Bamboo web interface.