Dashboards
Static Reviewer (SAST – Code Inspection), Dynamic Reviewer (IAST and DAST), Firmware Reviewer and Software Composition Analysis (SCA) modules can publish results to a bunch of dashboards, like
Team Reviewer
https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/360493 is our default Dashboard and Central Repository. It combines all features provided by the entire Security Reviewer Suite with Vulnerability DIscovery & Tracking
Every new version we do Secure Coding, we provide an exceptions-free version with some enhanced features, like:
SAST/IAST/DAST results navigator
SCA results (including legal issues) navigator
SSO (Single Sign-On) link to Firmware Reviewer portal.
Browsing results are provided at two levels: Internal User and Guest User.
Integration Checklist
All following Integration Requirement coverages are available both from Web GUI and REST API.
Requirement | Note |
|---|---|
On-premise install | Yes, further than Cloud |
Source Code upload | Analyses will be always executed at client-side and source code never leaves the client machine |
HTTPS / TLS | Yes, both |
External M2M support | Yes, through REST API interface, profiled with User, Password and API Key |
LDAP support | Supports LDAP, Microsoft Active Directory, ApacheDS, Fedora 389 Directory and NetIQ/Novell eDirectory |
Local Users | Local users can be defined, i.e. technical support or admin users, for configuring all features available via REST API |
Enhanced password checking, SSO and IAM | Through integration with most IAM solutions (IAMlight, oAuth, SAML, etc.) |
Enhanced Profile management | Each non-local user is associated to a IAM profile, with different attributes for accessing different features depending on profile attributes. Anonymous access is forbidden |
Source Code managed securely | Source code will be accessed at client side only, stored in secure temporary memory buffers, and in encrypted folders. At scan end, source code will be securely wiped both from memory and from encrypted folders |
Extra User Effort required for scan tasks | The system has elevated automation level and does not require an extra effort nor a long leaning curve to fluent usage. See the video: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/681902081 |
Support for most used programming languages | All versions like desktop, command line, REST API and Dashboard are able to scan 40+ programming languages, mobile apps included. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633#StaticReviewer-languagesSupportedProgrammingLanguages |
Software Composition Analysis | The system is able to scan application dependencies of third-party libraries and frameworks, both for standalone, we and Mobile apps. See: |
Vulnerability Detection helpers | The system makes easy to detect, classify and understand the vulnerabilities found in the app. Each vulnerability is accompanied from technical details and remediation helpers. See: FAQ Q. For each Security Vulnerability, which details are provided? |
Multi-language scan | The system recognizes itself which are the programming languages used to develop the scanned app. See: |
Developer’s IDE Integration | A large number of IDE plugins are provided. See: |
Native DAST solution | The system includes a native DAST solution. Further, Team Reviewer correlates results of a number of third-party DAST. See: |
SDLC Integration | See: |
SCM and CI Plugins | The system provides native Jenkins and GitLab CI plugins. See: Further, it provides an integration with most of SCM solutions, GIT, SVN, Azure DevOps and PVCS included. See: |
Change password mandatory at first access | Yes, configurable |
Password expiration | Yes, configurable |
Account protection | Enterprise Account data security relies to IAM. Local accounts are store in encrypted db tables |
Sensitive data | The system does not store Legal, Personal, Network traffic, Localization, OLO data nor other SOAX data |
Messages | The system never includes sensitive data inside Info, warning or Error messages |
Obfuscated Code | The system does not include obfuscated source or binary code |
Intellectual Property | The system makes use of explicit declared open source licenses. No Intellectual Properties are violated |
Third-party components | The system makes use of up-to-date and vulnerability-free third-party components |
Secure Coding | The system is implemented in compliance of Secure Coding standard like OWASP, WASC and CWE. Each new version is Static Analyzed using Security Reviewer Static Analysis and OpenText Fortify. |
Logging | Further than IAM logs, the systems provides access logs and event |
OWASP Dependency Track
Security Reviewer Suite products automatically publish results to OWASP Dependency Track web app.
We offer support contracts for our enhanced version of OWASP Dependency Track.
Dependency Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. Security Reviewer enhanced Dependency Track adding Static Analysis support.
Dependency Track shares the same Integration Checklist of Team Reviewer.
Dependency Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an REST API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments, and is the default Security Reviewer Dashboard solution
ServiceNow
ServiceNow improves service levels, energizes employees, and enables your enterprise to work at lightspeed. Create, read and update records stored within ServiceNow including Incidents, Questions, Users and Vulnerability Management. Security Reviewer is integrated via REST API
Kenna Security
Kenna Security Vulnerability Management solution helps security and risk managers prioritize the vulnerabilities in their infrastructure and the security events disclosed via monitoring activities, enabling more effective security investigation and response operations. Security Reviewer is integrated via a OWASP Dependency Track feature
CodeDx
Code Dx Enterprise is an automated application vulnerability management tool that makes all of your testing tools work together to provide one set of correlated results, then helps you prioritize and manage vulnerabilities—integrating with your application lifecycle management tools so your security and development teams work together for faster remediation. Security Reviewer is integrated via REST API
OpenText Fortify SSC
Integration with OpenText Fortify SSC is provided via Team Reviewer or OWASP Dependency Track
SonarQube
Integration with SonarQube is provided natively (via CI Plugin) or via Team Reviewer or via OWASP Dependency Track
ThreadFix
Integration with ThreadFix is provided natively (via CLI Transformer) or via Team Reviewer or via OWASP Dependency Track
Issue Tracking
JIRA
Jira and BugZilla integrations are natives for our Jenkins and Bamboo plugins:
BugZilla
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.