FAQ

Discover how simple is using our products, watch the following video:

Common FAQ

Q. What is your license policy?

Security Reviewer Static Analysis and Software Composition Analysis license policies are for unlimited users, unlimited clients, unlimited servers, unlimited analyses and unlimited lines of code. Only you have to specify the IP range on which Security Reviewer will run. Buying unlimited licenses includes 1 year of support and maintenance. Additional support and maintenance years must be purchased separately. Special prices will be applied for 3 years or more of additional support and maintenance. A special bid for a limited scans (50, 100 per year) exists only for Static Analysis Desktop Edition. See: Code Inspection or Software Composition Analysis FAQ below.

Q. Do Security Reviewer products require hardware components?

No. Security Reviewer products are made of 100% software components

Q. Do Security Reviewer products or components rely on other software vendors?

All Security Reviewer software components are made by Security Reviewer itself. Only updated and secured versions 3rd-party libraries are used. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/681934865/Open+Source+Licenses All support and maintenance tasks are provided by Security Reviewer and its Resellers network. No other vendors are involved

Q. Security Reviewer products are secure coded?

All Security Reviewer software are implemented in compliance of Secure Coding standard like OWASP, WASC and CWE. Each new version is Static Analyzed using Security Reviewer Static Analysis and open source and commercial tools like Micro Focus Fortify.

Q. What does Support & Maintenance services provide?

Our Support Team will understand your existing Continuous Integration environment, optimize Security Reviewer integration and make sure that you get maximum value from your investment. Support provides a 8x5 or 24x7 service, depending on your https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/967540737 Contract. A Service Desk is included, via a web ticketing system, via e-mail or via telephone calls, depending on your contract. Maintenance service provides products updates and patching on monthly basis. Patching is done for bug-fixing with a response time from 3 to 48 hours depends on your Contract

Q. Which Support & Maintenance contracts do you provide?

We provide a basic Support contract of 8x5, and Glod or Premium of 24x7. Maintenance is always provided with a monthly release update. Patching (part of maintenance) is done for bug fixing with a response time of 8-48 hours for Basic Support and 3-8 hours (3 hours for High, 5 hours for Medium, 6 hours for Normal and 8 hours for Low priority) for Premium support. For further SLA details, please ask to your preferred Reseller

Q. Which Programming Languages are supported?

Q. Do Security Reviewer products support virtualization?

Many virtualization platforms are supported in different ways, depending on Editions (see Code Inspection FAQ below):

  • Virtual Desktop Edition is used via SaaS via online VDI platform, based on VM

  • Server Edition can have a WCF Service running in a VM

  • REST API Edition as SaaS based on VM

  • Developer Edition can run scan task remotely in a VM

Desktop Edition cannot run on a local VM

Q. What about Compliance?

Q. How can I submit an Enhancement Request?

We guarantee the deployment of your Change Requests in about 48 hours and your Feature Requests developed during next 30 working days. We are committed to help our clients reaching their goals, to personalize their Secure Review experience, to provide an innovative environment, and to make the difference. Once you are a Customer of ours, feel free to ask what you need and you will get it for free! Your enhancement request will be inserted in the product roadmap and delivered to you soon!

The best way to submit an enhancement request for your Security Reviewer product is to go to https://www.securityreviewer.net/support. Select the product in which you are interested and the related section. Otherwise you can send you request via email to info@securityreviewer.com

The benefit of posting your suggestion on the Support site is that you “own” it. You will be notified by email of all replies and you will be the “thought leader” for the idea. Other users can see that the enhancement request is your idea, and you can lead the conversation in a way that will make your request compelling to Security Reviewer. Other users can “vote” on your idea and you can “campaign” for votes for your idea. Other users may also suggest a workaround or another way that you can accomplish your objective.

Security Reviewer’s Product Management reviews the submitted requests regularly, and you should see a reply within two o threee days.

For all the reasons above, posting and socializing your request on the Support site is the most productive and informative place to open an enhancement request.

We confirm that no additional costs are required for new available features during your support contract. New features may involve:

  • New supported OS

  • New supported languages

  • Enhanced products' features

Q. Do you have a Certification Program?

We do not offer Consultancy Services directly to Customers. Beware of false Security Reviewer 'experts'. To ensure Project success, we offer a Certification Program mandatory for every Consultancy Firm using our Products in a Consultancy Project at Customer's site. See Our Certification Program

Q. How can I contact a Distributor?

Code Inspection FAQ

Q. Which Editions are available?

Further to our Continuous Integration (CI) (see related FAQ) and IDE Plugins, the following Editions are available:

  • Desktop Edition. All features are provided by this Windows Desktop app, SQALE Dashboard and CLI Interface are Included. It is installed on premises and provides both Unlimited and Limited (50, 100, etc.) scans/year.

  • Virtual Desktop Edition. All features are provided by this Remote Desktop app, running on Windows, Mac OSx and Linux. SQALE Viewer is Included.

  • Developer Edition. Choose one of IDE plugins you want, and you can scan, view results and create reports directly inside your IDE. Windows only.

  • Server Edition. Desktop Edition additional module. It shares configurations, False Positives, Exclusions, Results and even encrypted source code between Desktop Editions.

  • REST API Edition. A Java CLI Interface run scans, check scan progress and download Results from a REST API on-premises Server

Q. Which Infrastructure is required for running your products?

Desktop Edition

Windows

      Microsoft®Windows 10 Professional or Enterprise (Home version not supported), Windows 2008 R2 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). 

64 bit environment is suggested for better performances.

      Microsoft®Office 2010 or newer installed (for reporting)

      .NET Framework 4.7.2 redistributable preinstalled with offline installer.

      Oracle JDK 1.8 preinstalled. For further details, please refer to the related chapter below

      Python 3.8 or newer preinstalled

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Linux

       Centos Linux 7.x; or newer, Ubuntu 16.04 or higher, Debian 9 or higher, Fedora 30 or higher, RedHat 7 or higher

      64bit environment is mandatory

      Oracle JDK 1.8 preinstalled. It won’t run with OpenJDK

      Python 3.6 or higher

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

 

Virtual Desktop Edition

Host System: Microsoft®Windows , Mac OSX or Linux. No particular configuration is suggested. The application runs in a remote Windows Server. If you need that Server on your premises, it needs the same configuration of Server Edition

Developer Edition

Same configuration of Desktop Edition, with one of IDE Plugins installed.

Server Edition

Windows: Windows 2008 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). .NET Framework 4.8 redistributable preinstalled. IIS 7.5 or newer for WCF

Linux:

Mac:

  • Mac OSx 10.11 “El Capitan” or newer

JDK 1.8 or newer preinstalled.

Minimum RAM required by Host System.

REST API Edition

Same configuration of Server Edition with additional Apache Tomcat 9 installed.

 

Q. Which Virtualization Platforms are supported by Static Analysis?

Q. Which Operative Systems are supported by Static Analysis?

Q. What is the Database role in Static Analysis?

Static Analysis does not need RBDMS to run, and it is fully extensible via XML.

Q. Is Internet access required?

No. Static Analysis does not require Internet access. Remediation Tip, Reference documentation and Standards have links that can be disabled in configuration, often required by customers

Q. Which Security Rules are supported in the Static Analysis?

See Agile & DevOps Security

Q. How Security Rules are maintained up-to-date?

Q. For each Security Vulnerability, which details are provided?

When a Security Vulnerability is detected, a number of detailed Attributes is provided.

See this video:

Legend:

Attribute

Field

Description

AT1

Vuln ID

Vulnerability Unique Identifier

AT2

Component

Component Name and Version

AT3

File

Vulnerable file pathname, Class and Method (Program and Perform in COBOL)

AT4

Line of code

Vulnerable Line inside the File

AT5

Description

Vulnerability Description (includes external documentation and known attack vectors links)

AT6

Category

Vulnerability Category

AT7

Standard

Compliance/Best Practice International Standard (OWASP, CWE, CVE, WASC, PCI-DSS)

AT8

Rule

Unique Identifier and Description of violated Rule

AT9

CVSS

Value related to Common Vulnerability Scoring System CVSS V3.1

AT10

Severity

Blocker (Very High), Critical (High), Major (Medium), Minor (Low), Info (Very Low)

AT11

Code Snippet

Source code lines surrounding the vulnerabile one

AT12

Status

‘Confirmed’ means True Vulnerable, ‘Not An Issue’ means False Positive. Other values like ‘Not Exploitable’ are available, in compliance to international standards

AT13

Remediation Tip

Short suggestion tip for vulnerability fixing

AT14

Application

Analyzed Application Name

AT15

Version

Analyzed Application Version

AT16

Responsible

Team responsible of remediation

 

Outsourcer

Outsourcer contributing to remediation

AT17

Priority

Number ranging from 1 (Urgent) to 5 (Cosmetic) representing vulnerability fixing Priority

Q. Can Static Analysis provide per-component results?

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results by Component, Outsourcer and/or Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

Q. When Analysis ends, is there a notification service?

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Q. Which Analysis results output formats are supported?

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Chain.

Q. May I suppress a vulnerability?

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports. See False Positives and False Negatives

Q. In Static Analysis, may I create custom Security Rules?

You can exclude some Security Rules from the Static Analysis, between the ones available, or you can create new Security Rules using the Cigital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Q. Which Development IDE are supported?

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

CI Plugins FAQ

Q. Which Infrastructure is required for running your CI plugins?

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. Do not require additional resources.

Q. On Users, Clients or Servers growing, what have I to do ?

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. If you need to improve users, clients or servers number, you must change your own infrastructure, it does not affect the CI plugins configuration and there are no additional costs

Q. Where can I find CI Plugins manual?

When a product is purchased, for each product the following manuals are provided: Solution Overview, Installation Manual (includes Troubleshooting), User’s Manual (includes Release Updates and Patching procedures as well as OWASP Dependency Track user’s guide), IDE plugin manual, REST API interface manual, SonarQube Plugin manual, TrìhredFix Integration manual, CLI Interface manual. Such manuals will be updated together when a new Release will be available

Q. Which Virtualization Platforms are supported?

Virtualization does not affect the CI plugins configuration and there are no additional costs. Our CI plugins rely on Jenkins and Bamboo Infrastructure to run. Anyway, our solutions has been tested on VMware vSphere/ESXi, Oracle VirtualBox, Microsoft Hipervisor, Red Hat Enterprise Virtualization and KVM virtual machines

Q. Which Operative Systems are supported?

Please refer to Infrastructure page for further information

Q. Which Cloud DevOps Platforms are supported?

Please refer to Infrastructure page for further information

Q. What is the Database role in your solutions?

Our solutions do not need RBDMS to run, they are fully extensible via XML. Only Software Composition Analysis uses for temporary storage an unmodified binary redistribution of H2 database engine (http://www.h2database.com/). It needs neither support nor Backup

Q. Do I need to Backup and Restore Data and Configurations?

No Backup or Restore of Configurations or Data are required, due to our products are standard CI Plugins. Data is stored in your Software Configuration Platform (i.e. GIT, SVN, CSV, TFS, etc.), and configurations are inside your CI platform. Please refer to your internal Jenkins or Bamboo operation procedures.

Q. Can your products retrieve Data and Configurations from a Network File System?

Unique Data used by our CI Plugins is about External Sources used in Software Composition Analysis. Such Data will be stored temporary in an H2 database and refreshed automatically. No need of backup or maintenance

Q. How can I install your CI Plugins?

Installation is made in two phases:

  • Core product installation

  • CI Plugin Installation.

Core Product installation is about Static Analysis or Software Composition Analysis products and consists of copying and unzipping a few files to a specific folder. CI Plugins can be installed directly from Jenkins or Bamboo using their plugin manager or by CLI Interface or plugin download feature. See:

CI Plugins cannot run without a previous Core product installation.

Everything will be installed on-premises and can installed in unattended mode using CLI Interface

Q. May I use an internal Proxy when Internet access is required?

Only Software Composition Analysis CI Plugin requires access to Internet, for accessing to External Sources. An internal Proxy Server belonging to your organization can be used. It must be configured inside your CI Platform:

Q. If new features will be available, is there an additional cost?

No additional costs are required for new available features during your support contract. New features may involve:

  • New supported OS

  • New supported languages

  • Enhanced products' features

Q. Do you have Logging features?

Our CI Plugins support Logging. See available Logging options

Q. Can run in a Docker Image?

Our CI Plugins rely on your CI Platform Infrastructure. It has been tested with Docker, Kubernetes, OpenShift and with a number of APPC-compliant container platforms. No special Dockerfile is needed

Q. Can run in Multi-tenancy?

Q. Which Package Managers are supported?

Software Composition Analysis (SCA) CI Plugin supports various Package Managers. See Package Managers.

For both Static Analysis and Software Composition Analysis Ant, Maven, Gradle plugins are available.

Q. Which Security Rules are supported in the Static Analysis?

See Agile & DevOps Security

Q. How Security Rules are maintained up-to-date?

Q. For each Security Vulnerability, which details are provided?

When a Security Vulnerability is detected, a number of details are provided.

Static Analysis provides:

  • Vulnerable File Name

  • Vulnerable class / method / function or perform (for COBOL)

  • Vulnerability Map

  • OWASP Top 10 classification

  • CWE ID

  • WASC ID

  • CVSS v3 classification (base score and vectors)

  • CVE/CPE

  • Severity (Blocker, Critical, Major, Minor, Info)

  • Vulnerability Category

  • Vulnerability Description (includes external documentation and known attack vectors links)

  • Remediation Tip

Software Composition Analysis provides:

  • Vulnerable Library / Framework / File Name

  • CPE Vulnerability ID

  • Package

  • Highest Severity, CVE Count, Evidence Count (Vulnerabilities can be many)

  • OWASP Top 10 classification (usually A9-Avoid using components with known vulnerabilities)

  • Vulnerability Description

  • License type

  • Evidence (Type, Source, Name, Value, Confidence)

  • Related Dependencies

  • Published Vulnerabilities. For each vulnerability: CVE/NPM ID, Description (Remediation included), Severity, CWE ID, CVSS v2 and v3 classification (base score and vectors), References, Vulnerable Software and Versions.

Q. When a Vulnerable Library/Framework is detected an alternative is suggested?

When a Vulnerable library/framework is detected, the Vulnerability Description suggests the minimum next non-vulnerable version. If the vulnerability involves a certain library function only, and the analyzed application does not use such vulnerable function, the related Severity will changed to lower

Q. May I continuously monitor the Libraries / Frameworks vulnerabilities?

Your Library/Framework can be clean today, but vulnerable tomorrow. For continuosly monitoring, we provide a Maven Plugin for Sonatype Nexus Repository and JFrog Artifactory systems. The Maven plugin can be executed inside your CI Platform as a build task and, further than against a repository, a folder in a Network File System can be periodically analyzed using the same plugin

Q. Do you analyze Container Images?

Yes. We analyze both System Libraries and Libraries/Frameworks used in applications. See Containers Security for further details

Q. May I isolate a vulnerable Library/Framework, for avoid its publishing?

Yes. A vulnerable Library/Framework can be blacklisted, and notified to Sonatype Nexus Repository and JFrog Artifactory systems, for avoid putting it in production

Q. Do you support CI pipelines?

Yes. We support Jenkins and Bamboo pipelines natively. For other CI Platforms, our CLI Interface is multi-thread and pipelines-ready by design. See Infrastructure for a list of tested CI Platforms

Q. Further to CI Plugins, do you have a GUI interface?

Yes. We use the Jenkins / Bamboo embedded GUI in our plugin, providing all scan and configuration features, like:

Build Task (both Static and SCA task)

– Path to scan

– Output directory

– Generate Report: HTML, XML, JSON, CSV, PDF, Word

Static Analysis Build Task

– Project Name

– Version

– Exclusion List

-. Incremental Analysis

– Programming Language

SQL Dialects: PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, IBM Datastage, ANSI SQL, IBM DB2, IBM Informix, SAP Sybase, Micro Focus Vertica, MySQL, FireBird, PostGreSQL, SQLite, MongoDB, Hibernate Query Language, Hadoop PL, HiveQL.

NoSQL. MongoDB, CouchDB, Azure Cosmos DB, basho, CouchBase, Scalaris, Neo4j, InfiniSpan, Hazelcast, Apache Hbase, Dynomite, Hypertable, cloudata, HPCC, Stratosphere, Amazon DynamoDB, Oracle NoSQL, Datastax, ElasticDB, OrientDB, MarkLogic, RaptorDB, Microsoft HDInsight, Intersystems, RedHat JBoss DataGrid, IBM Netezza, InfiniDB, BigMemory, GemFire., Accumulo GigaSpaces, SAP Hana, Couldera, memBase, simpleDB, redis, cassandra.

Mobile DB. SQLite, eXtremeDB, FireBase, Cognito, Core Data, Couchbase Mobile, Perst, UnQlite, LevelDB, BerkeleyDB, Realm Mobile, ForestDB, Interbase, Snappy, SQLAnywhere.

– Load Type: Folder, Project, Component

– Target Browser version of Chrome, Firefox, Opera, IE, Edge, Safari

– Auditor

– Scan Options: Trusted Functions/Queries/Env/Socket/Servlet/WS/REST, Source Lines to be reported, Max Vulns per line, Max Issues

Manage Jenkins->Configure System, Bamboo Configure Task

– Temporary directory

– Global Data Directory

– Data mirroring scheme: CPE/CVE/Retire.js/All

– CVE 1.2/2.0 base/modified URL

– Enable analyzer: JAR, archive, assembly (DLL/EXE), Maven Central, NuSpec, Nexus, JFrog, Autoconf, CMake, PHP Composer, Node Package, Node (NPM) Audit, Retire.js, MSBuild, NuGet, OpenSSL, Python distribution/package, Ruby Bundler Audit, RubyGem, CocoaPods, Rust Cargo, Swift Package Manager, SNYK

– Nexus Services URL

– JFrog Artifactory URL, API Token, API user, Bearer Token

– e-mail Notification: STMP Server, Default user e-mail suffix, Use SSL, SMTP Port, Account Details, Content Type

– webHook Notification: Request parameter, Token header, Authorization header of type Bearer

Q. May I separate Dev, Stage and Production environments?

Our CI Plugin rely on your CI Platform Infrastructure. It is up to you installing separate CI environments at your site, with no additional costs

Q. Can Static Analysis provide per-component results?

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results will be provided by Component, an Outsourcer and/or a Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

Q. When Analysis ends, is there a notification service?

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Q. Which Analysis results output formats are supported?

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsability Chain.

Q. May I suppress a vulnerability?

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports

Q. Do you have a Web Interface?

Web Interface is used in two different ways: from within your CI Platform web interface you can launch the Analysis, View the results, Suppress False Positives, Export the results. From within OWASP Dependency Track portal you can launch a Software Composition Analysis, View the Static Analysis and Software Composition Analysis results, Suppress False Positives, Export the results

Q. In Static Analysis, may I create custom Security Rules?

You can exclude some Security Rules from the Static Analysis, between the ones available and you can create new Security Rules using the Cigital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Q. Which Development IDE are supported?

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Q. Which Continuous Integration Platforms do you support?

Our CI Plugins are native for Jenkins (CloudBees ready) and Atlassian Bamboo CI/CD. Other CI Platforms are supported via CLI and REST API Interfaces. At customer’s site we currently tested:

  • Azure DevOps

  • Concourse-CI

  • AppVeyor

  • Travis CI

  • Circle CI

  • TeamCity

  • CodEnvy

  • Chef

  • AnthillPro

  • GoCD

Q. Which Issue Tracking Platform do you support?

Our CI Plugins integrate with Issue Tracking in two different ways:

Q. Do you integrate with external Dashboards, like SonarQube or ThreadFix?

Yes, the SonarQube and ThreadFix integrations are natively supported. Other dashboard support is provided via OWASP Dependency Track. See Dashboards

Q. Do you provide REST API and CLI interfaces?

REST API are provided in two ways:

  • via your CI Platform REST API: you can launch Static Analysis or Software Composition Analysis, download results

  • via OWASP Dependency Track: you can launch Software Composition Analysis, download results, managing users, groups, rules and roles

A CLI interface is provided, both for Static Analysis and Software Composition Analysis: you can launch the analysis in async mode, check the analysis status, download results, managing rules

Both REST API and CLI interface are well documented in related manuals

Q. Which is your AD/LDAP and role-profiling support?

Web Interface, accessible via REST API too, is used in two different ways: from within your CI Platform web interface or by OWASP Dependency Track. Both solutions support:

  • Integration with your AD/LDAP for Role profiling at User, Group, Projects, Teams and Application Level

  • Role profiling for Administrator, for AD/LDAP and Local Users, Groups, Projects, Applications and Teams management (import, create, edit, delete)

  • Role profiling for Configuring Analysis, Configuring Rules, Executing the Analysis or Browsing Analysis results (Remediation suggestions included), per Application basis

  • Custom Role profiling for each single feature access (deny, read-only, etc.)

Q. How can I monitor your tools behavior?

Our products can be monitored in different ways:

Firmware Reviewer FAQ

Q. Which are the installation modes?

Firmware Reviewer can be installed On Premise (setup or VMWare Virtual Machine) or in Cloud

Q. What are the installation Hardware and Software Requirements?

Q. What kind of analyses Firmware Reviewer can execute on a firmware image?

Firmware Reviewer executes both Static and Dynamic Analysis. After extracting the bootloader and file system from the image, the Static Analysis consists on executing a Task List, which includes checking of OS, system libraries, 3rd-party libraries, executables and scripts against CVE and Exploit databases to find known vulnerabilities. Scripts source code is also submitted to Security Reviewer’s SAST module to verify OWASP, WASC and CWE vulnerabilities checks. It will reveal also Visible configuration, IPs, e-mails, URIs, Visible Services, Unwanted Programs, and Compliance Issues. Dynamic Analysis consists in Device Emulation and in applying attacker patterns to the firmware image. Dynamic Analysis execute also Hardening Compliance test and other tests like Malware Scanning, using an embedded version of Metaesploit against our own collection of rules. See Malware related question below.

Q. Firmware Reviewer executes the Dynamic Analysis using simulation techniques. How can it simulate complex devices?

Firmware Reviewer Emulate a device using an our own enhanced version of QEMU. For complex firmwares it can execute a Partial emulation (bootloader and init system) and install a Bootloader Agent in the firmware bootloader, in order to manage encrypted firmware and gain access to login credentials. It will increase the Dynamic Analysis comprehensiveness and accuracy.

Q. How external open source tools can be orchestrated and integrated by Firmware Reviewer?

Firmware Reviewer provides a Plugin Developer’s Kit as well as REST API interface. External tools are orchestrated within dedicated plugins, and, in case of external systems, through REST API. Results are automatically correlated in a unique report.

Q. How Secure Source code Analysis is integrated by Firmware Reviewer?

Firmware Reviewer makes use of Security Reviewer’s SAST native module to analyze source code found inside the firmware image: shell scripts, python, php, lua, javascript, etc. in order to verify OWASP, WASC and CWE vulnerabilities checks.

Q. How exposed vulnerable functions are detected by Firmware Reviewer?

Firmware Reviewer detects exposed vulnerable standard library functions, like strcpy, sprintf, strcat, strncat, memcpy, memmove, gets, getw, system, etc, by analyzing all binaries existing in the firmware. They can expose it to Buffer Overflow, Heap Overflow and Stack Overflow, DoS. Command Injection and Integer Overflow vulnerabilities, as described by CISA CERT coding practices and CERT C Secure Coding Standard. They can included both in system components and application components. In case of system components it is suggested to update them to a non-vulnerable version, while in case of vulnerable application components it is suggested to use safe functions, like: strcpy_s, sprintf_s, etc. The vulnerabilities are classified using CVE and CVSS scoring.

Q. Suppose I solved some vulnerabilities reported by Firmware Reviewer. How can I verify such vulnerabilities have been fixed?

You can execute Firmware analysis of the new version, and use Firmware Reviewer’s Compare feature to discover new or fixed vulnerabilites between the two versions.

Q. I discover I have some users for services startup with Empty or Default Password. Firmware Reviewer reports them as vulnerable users. How can I test if those users are exploitables?

Using our Bootloader Agent, the users with empty or default passwords will be automatically monitored by Firmware Reviewer. At Emulation runtime, when a service is accessed using the real credentials, the Bootloader Agent will track it and will try to use such real credentials to login. Firmware Reviewer never access to physical devices, emulating them only.

Q. Firmware Reviewer reports OS and 3rd-party components vulnerabilities. How can I verify if those vulnerabilities are exploitable or not?

Each vulnerability is classified using CVE, reporting the most important vulnerabilities with Exploits. Each Exploit provides a script for verifying if the firmware is exposed or not. Since Firmware Reviewer never access to physical devices, it is up to you executing tests on your own devices.

Q. How Malware is detected?

Malware is detected using an embedded version of Metaesploit against our own collection of rules, as well as through Dynamic analysis of ELF files:

  1. Starting and Termination: Time Stamps and Elapsed Time.

  2. Processes Information: clone, execve and exit etc.

  3. File I/O: open, read, write and delete etc.

  4. Network: TCP, UDP, HTTP and HTTPS etc.

  5. Typical Malicious Actions: self deletion, modification and lock.

  6. API Information: getpid, system, dup and other libc functions.

  7. syscall sequences.

Further, our Dynamic Analysis finds Backdoors based in: Suspicious open TCP ports, suspicious connection to external IPs and URIs, presence of Non-standard services and Suspicious executables.

COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.