Dashboards

Static Reviewer (SAST – Code Inspection), Dynamic Reviewer (IAST and DAST), Firmware Reviewer and Software Composition Analysis (SCA) modules can publish results to a bunch of dashboards, like

Team Reviewer

https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/360493/Team+Reviewer is our default Dashboard. It combines all features provided by the entire Security Reviewer Suite with Vulnerability Management & Tracking

Every new version we do Secure Coding, we provide an exceptions-free version with some enhanced features, like:

  • SAST/IAST/DAST results navigator

  • SCA results (including legal issues) navigator

  • SSO (Single Sign-On) link to Firmware Reviewer portal.

Browsing results are provided at two levels: Internal User and Guest User.

Integration Checklist

All following Intergation Requirement coverages are available both from Web GUI and REST API.

Requirement

Note

Requirement

Note

On-premise install

Yes, further than Cloud

Source Code upload

Analyses will be always executed at client-side and source code never leaves the client machine

HTTPS / TLS

Yes, both

External M2M support

Yes, through REST API interface, profiled with User, Password and API Key

LDAP support

Supports LDAP, Microsoft Active Directory, ApacheDS, Fedora 389 Directory and NetIQ/Novell eDirectory

Local Users

Local users can be defined, i.e. technical support or admin users, for configuring all features available via REST API

Enhanced password checking, SSO and IAM

Through integration with most IAM solutions (IAMlight, oAuth, SAML, etc.)

Enhanced Profile management

Each non-local user is associated to a IAM profile, with different attributes for accessing different features depending on profile attributes. Anonymous access is forbidden

Source Code managed securely

Source code will be accessed at client side only, stored in secure temporary memory buffers, and in encrypted folders. At scan end, source code will be securely wiped both from memory and from encrypted folders

Extra User Effort required for scan tasks

The system has elevated automation level and does not require an extra effort nor a long leaning curve to fluent usage. See the video: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/681902081/FAQ

Support for most used lprogramming languages

Alversions likel desktop, command line, REST API and Dashboard are able to scan 40+ programming languages, mobile apps included. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer+-+Code+Inspection#StaticReviewer-CodeInspection-languagesSupportedProgrammingLanguages

Software Composition Analysis

The system is able to scan application dependencies of third-party libries and frameworks, both for standalone, we and Mobile apps. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/295034/Software+Composition+Analysis

Vulnerability Detection helpers

The system makes easy to detect, classify and understand the vulnerabilities found in the app. Each vulnerability is accompained from technical details and remediation helpers. See: FAQ Q. For each Security Vulnerability, which details are provided?

Multi-language scan

The system recognizes itself which are the programming languages used to develop the scanned app. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer+-+Code+Inspection#StaticReviewer-CodeInspection-Multi-languagescan

Developer’s IDE Integration

A large number of IDE plugins are provided. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/681378227/IDE+Plugins

Native DAST solution

The system includes a native DAST solution. Further, Team Reviewer correlates results of a number of third-party DAST. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/360493/Team+Reviewer#Results-Correlation

SDLC Integration

See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/1181679626/SDLC+Integration

SCM and CI Plugins

The system provides native Jenkins and GitLab CI plugins. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer+-+Code+Inspection#StaticReviewer-CodeInspection-CIPLUGINS

Further, it provides an integration with most of SCM solutions, GIT, SVN, Azure DevOps and PVCS included. See: https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/970784846/SCM+Integration

Change password mandatory at first access

Yes, configurable

Password expiration

Yes, configurable

Account protection

Enterprise Account data security relies to IAM. Local accounts are store in encrypted db tables

Sensitive data

The system does not store Legal, Personal, Network traffic, Localization, OLO data nor other SOAX data

Messages

The system never includes sensitive data inside Info, warning or Error messages

Obfuscated Code

The system does not include obfuscated source or binary code

Intellectual Property

The system makes use of explicit declared open source licenses. No Intellectual Properties are violated

Third-party components

The system makes use of up-to-date and vulnerability-free third-party components

Secure Coding

The system is implemented in compliance of Secure Coding standard like OWASP, WASC and CWE. Each new version is Static Analyized using Security Reviewer Static Analysis and Micro Focus Fortify.

Logging

Further than IAM logs, the systems provides access logs and event https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633/Static+Reviewer+-+Code+Inspection#StaticReviewer-CodeInspection-loggingLogging

OWASP Dependency Track

Security Reviewer Suite products automatically publish results to OWASP Dependency Track web app.

We offer support contracts for our enhanced version of OWASP Dependency Track.

Dependency Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. Security Reviewer enhanced Dependency Track adding Static Analysis support.

Dependency Track shares the same Integration Checklist of Team Reviewer.

Dependency Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an REST API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments, and is the default Security Reviewer Dashboard solution

ServiceNow

ServiceNow improves service levels, energizes employees, and enables your enterprise to work at lightspeed. Create, read and update records stored within ServiceNow including Incidents, Questions, Users and Vulnerability Management. Security Reviewer is integrated via REST API

Kenna Security

Kenna Security Vulnerability Managemeent solution helps security and risk managers prioritize the vulnerabilities in their infrastructure and the security events disclosed via monitoring activities, enabling more effective security investigation and response operations. Security Reviewer is integrated via a OWASP Dependency Track feature

CodeDx

Code Dx Enterprise is an automated application vulnerability management tool that makes all of your testing tools work together to provide one set of correlated results, then helps you prioritize and manage vulnerabilities—integrating with your application lifecycle management tools so your security and development teams work together for faster remediation. Security Reviewer is integrated via REST API

Micro Focus Fortify SSC

Integration with Micro Focus Fortify SSC is provided via Team Reviewer or OWASP Dependency Track

SonarQube

Integration with SonarQue is provided natively (via CI Plugin) or via Team Reviewer or via OWASP Dependency Track

ThreadFix

Integration with ThreadFix is provided natively (via CLI Transformer) or via Team Reviewer or via OWASP Dependency Track

Issue Tracking

JIRA

Jira and BugZilla integrations are natives for our Jenkins and Bamboo plugins:

BugZilla

COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.