Compliance Modules
Need to comply with a coding standard? Security Reviewer makes it easy.
Save time by knowing which set standards are being broken and getting insights on how to tackle them.
You can use the following compliance modules to apply coding standards across your codebase. And you’ll get fewer False Positives and False Negatives in your diagnostics. With Security Reviewer, Security By Design will be easy to accomplish in your Security Development Life Cycle. Security Reviewer provides a Qualification Kit for checking our tool at your premises against coding standards as well as OWASP Benchmark and WASC Reports.
MISRA
Check your code against the MISRA® C and C++ coding standards — automatically.
The MISRA coding rules identify potential issues in safety-critical systems. The MISRA C and C++ compliance modules flag sections of your code that violate these rules, with the support of a bunch of Compilers:
Standards: Posix, C89, C99, C11, C17, C++03, C++11, C++14, C++17, C++20
Unix/Linux: GCC, IBM XL C/C++, HP C/aC++, HPE NonStop, Sun Pro C/C++, LLVM Clang
Windows: Visual Studio 6.0, Visual Studio 2003-2022, Embarcadero
Mac: XCode, LLVM Clang, Digital Mars C/C++, GCC, TryC
Embedded: ARM RealView, ARC MQX Synopsys, Atmel AVR Studio, Atollic True Studio, Avocet ProTools, Batronix uC51, BIPOM Electronics, Byte Craft eTPU C, CCS PIC/dsPIC/DSC, Ceibo-8051C++, CodeWarrior, Cosmic Software, Crossware, ELCC C/C++, GCC C/C++, Green Hills Multi, HighTec C/C++, IAR C/C++, INRIA CompCert, Intel C/C++, Introl C Compiler, Keil ARM C/C++, Mentor Graphic CodeSourcery, Microchip MPLAB, MikrocC Pro, NXP, Renesas HEW, SDCC, Softools Z/Rabbit, Tasking ESD, Texas Instruments CodeComposer, Z World Dynamic C 32, WDC 8/16-bit, Wind River C/C++
Architectures: avr8 - 8bit AVR microcontrollers, Elbrus-e1cp+, pic8 - 8bit PIC microcontrollers-baseline mid-range architectures, pic8-enhanced - 8bit PIC microcontrollers-Enhanced mid-range and high-end (pic18) architectures, pic16 - 16bit PIC microcontrollers, MIPS32, intel x86, intel x64, ARM Cortex M microcontrollers, MSP430, PowerPC, Cray sv1
The MISRA C compliance module enforces MISRA C:2004 and MISRA C:2012 rules.
The MISRA C++ compliance module enforces MISRA C++:2008 rules.
Security Reviewer identifies MISRA violations with greater accuracy than other tools. And it prioritizes violations based on severity, so you fix the most important issues first.
So, you’ll be able to improve code quality. Plus, you’ll be able to track and report on MISRA (and ISO) compliance.
CERT
Check your code against the CERT C, C++, JAVA and CERT Mobile coding standards — automatically.
The CERT coding rules identify security vulnerabilities in your code. The CERT C, C++, JAVA and CERT Mobile compliance modules flag code that violates these rules. This helps you eliminate undefined behaviors and apply best practices for secure code.
Plus, Security Reviewer helps you prioritize and fix the most critical violations first. You’ll even get detailed guidance and examples to help you fix these errors.
So, you’ll develop quality systems that are safe, secure, and reliable. Plus, you’ll be able to track and report on CERT compliance
CWE
Check your code against the CWE™ list of security weaknesses — automatically.
CWE identifies common security weaknesses in all Supported Languages.
The CWE compatibility module identifies code with those security weaknesses, and Security Reviewer prioritizes these CWE 4.9 violations.
This makes it easy for you to fix the most critical errors first. And by using Security Reviewer, you’ll improve overall code security.
OWASP Top 10
The OWASP Application Security Verification Standard (ASVS) is full covered by Security Reviewer. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Security Reviewer provides classification and reporting for OWASP Top Ten 2021, 2017, 2013 and 2010, as well as for Mobile Top Ten 2016 and 2014. Further, Security Reviewer supports OWASP Security API 2019.
The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.
Security Reviewer leads on OWASP Benchmark.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Security Reviewer provides OWASP Top Ten 2021, 2017, 2013, 2010 and OWASP API:2019 compliance, further than Mobile OWASP Top Ten 2016 and 2014.
CWE/SANS Top 25
The CWE SANS Top 25 Most Dangerous Software Errors is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. To create the list, the CWE and SANS Institute Teams used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents.
This data-driven approach is used by Security Reviewer to generate a CWE/SANS Top 25 2022, 2021, 2020 and 2019 list on a regular basis with minimal effort.
CVE
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1]
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's system[2] as well as in the US National Vulnerability Database.
Security Reviewer uses CVE to classify all operation-oriented code issues, scripting-languages (JavaScript, TypeScript, Shell, PowerShell, Ruby, etc.) included.
CVSS
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS is a published standard used by organizations worldwide, and the SIG's mission is to continue to improve it.
Security Reviewer classifies every single vulnerability risk as well as application risk using CVSS 3.1 standard.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Static Reviewer provides PCI-DSS 4.0, 3.2.1 and 2.0 (for compatibility) reporting for all financial applications it analyzes. Static Reviewer covers the following PCI-DSS requirements:
PCI DSS requirement | Description |
6.1 | Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. |
6.2 | Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install critical security patches within one month of release. |
6.3 | Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
|
6.4.3 | Production data (live PANs) are not used for testing or development |
6.4.4 | Removal of test data and accounts from system components before the system becomes active / goes into production |
6.4.5.3 | Functionality testing to verify that the change does not adversely impact the security of the system. |
6.5 | Address common coding vulnerabilities in software- development processes as follows:
|
6.5.1 | Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. |
6.5.2 | Buffer overflows |
6.5.3 | Insecure cryptographic storage |
6.5.4 | Insecure communications |
6.5.5 | Improper error handling |
6.5.6 | All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). |
6.5.7 | Cross-site scripting (XSS) |
6.5.8 | Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). |
6.5.9 | Cross-site request forgery (CSRF) |
6.5.10 | Broken authentication and session management. |
6.6 | For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
|
Changes to PCI DSS’s layout and descriptions v.4.0 include:
More accurate requirement titles
Additional direction and guidance provided in the Overview section
Requirements organized into Security Objectives
Requirements refocused as objective or outcome-based statements
Clear identification of Intent (Objective) for each requirement
Expanded Guidance
As with previous iterations of the PCI DSS, Security Reviewer expects that there will be a grace period for organizations to comply with the newly defined requirements, and PCI DSS version 3.2.1 will remain valid for a period of time to support organizations transitioning to the new version of the standard.
ISO 5055
The new ISO/IEC 5055:2021, promoted by CISQ, is focused on only 4 of the 8 characteristics provided by ISO 27010, making easier to determine how trustworthy, dependable, and resilient a software will be. Those characteristics are:
Security
Reliability
Performance Efficiency
Maintanability
What If feature is also provided, see related section above.
ISO 5055 generates new Findings; they can audit like Security or Deadcode ones.
You can drill-down to Source Code, by pressing </> Source Code button.
Green Cloud
A Green Cloud is an approach to cloud computing that aims to reduce energy consumption and environmental impact when deploying digital devices and systems. Cloud services are inherently more sustainable than on-premises IT infrastructure. Not only do public cloud data centres consume energy more efficiently and offer fixed pricing structures, but they are also able to consolidate energy demand from multiple organisations – managing resource use better as a result.
Though organisations can be wary of the disruption posed by cloud migrations, the entire process can be completed in a matter of days to exemplary standards. And, though each organisation will vary, one report contends that cloud migrations have the potential to reduce energy consumption by 65%, and carbon emission by 84%. It even puts savings on the total cost of ownership at 30-40%!
For many public sector organisations navigating public pressure and rising energy costs, these statistics will be enticing. The good news is that harnessing the power of green cloud computing is within your reach – you just need an expert cloud partner and the right tools to take you there.
Green Cloud doesn’t mean sustainable data centres, but it means also Green Software, in terms of:
Cloud-Ready applications
Efficient Resource Usage through Green Software
Turn off unnecessary, unused application’s workloads
Review application’s architecture for expensive tasks
Sustainable (Green) Software is designed and coded to require less power and fewer machines (as known as carbon efficiency) to perform the same tasks. It also aims to draw power at times and in places where the available electricity comes from low carbon sources like wind, solar, geothermal, hydro, or nuclear. This is called carbon awareness and is a fundamental concept of sustainable computing.
Storing less information and compressing it can also lower your carbon footprint. There are open-source projects and standards and guides available that can be used to increase sustainability in software development. Measurement standardization is needed to compare the environmental impact of your apps and your cloud suppliers. Security Reviewer helps you to be Cloud-Ready and to become a Green Software developer company. See related sections below.
It means running highly available products and services on top of variably available power calls for flexibility and targeted efficiency from cloud providers and users.
Adrian Cockcroft spoke about sustainability in development and operations at QCon San Francisco 2022 and will give a talk about the future of sustainability measurements at QCon London 2023.
In most cases, working to optimize for saving money by making code more efficient will also end up saving carbon, Cockcroft said. This helps focus work, as if you aren’t spending a significant amount of money on running the code, then it’s probably not worth worrying about it from a sustainability perspective.
Some specific ideas for developers that Cockcroft mentioned are to do less work in the first place by being thoughtful with business requirements and using better algorithms. Then to use more efficient languages like Rust to implement compute intensive code, pick highly optimized libraries like http://simdjson.org for JSON processing, and Z-STD for compression.
Further, he suggested storing less information and compressing it if it’s going to persist. Set up storage lifecycle optimization like S3 Intelligent Tiering or archive to tape which has the lowest carbon footprint. For frontend work, minimize the size of images and code in web pages, and tune mobile apps to use less power.
Cockcroft mentioned several open source projects aimed at measuring the energy use of Kubernetes based workloads: KEPLER: Kubernetes Efficient Power Level Exporter, Quarkus, a very efficient Java framework that enables significant savings compared to traditional Java stacks, CLEVER (Container Level Energy-efficient VPA Recommender that uses Kepler as an input for a Vertical Pod Autoscaler recommender, and PEAKS (Power Efficiency Aware Kubernetes Scheduler). In case you want to start in the right way, you should start to be Green from earlier development phase, or you could adapt your existing software by using the right tools.
Cloud-Ready
It is useful when:
You want to migrate your apps to the Cloud
You want to check if your Cloud Apps are up to date
With Static Reviewer you can detect, classify and browse the vulnerabilities by Cloud Platform:
Generic
Amazon AWS
Microsoft Azure
Google Cloud
What If feature is also provided, see related section above.
Cloud-Ready generates new Findings; they can audit like Security or Deadcode ones.
Green Software
Green Software, also known as Sustainable Software, is software that is designed, developed and implemented to limit energy consumption and have minimal environmental impact. Green Software engineering takes into consideration software practices and architecture, hardware and data center design, electricity markets and climate change. In addition, Green Software engineering aims to generate fewer greenhouse gas emissions and reduce a company's carbon footprint.
Principles of Green Software
The principles of green software are a set of concepts that software engineers should follow when they're designing, building and deploying sustainable software applications. There are eight principles of green software development:
Carbon. Developers should build software that offers value to users, while producing fewer carbon emissions.
Electricity. Energy-efficient applications use software components that don't consume much energy.
Carbon intensity. Intensity refers to the amount of carbon emissions that is generated for every kilowatt per hour of electricity that's used. Companies should consume as much as electricity as possible from renewable energy sources, which have lower carbon intensity.
Embodied, or embedded, carbon. Embodied carbon is how much carbon is released when companies develop and dispose of electronic devices. This principle calls for organizations to build software that reduces the amount of carbon that's released when they develop and dispose of electronic devices.
Energy proportionality. Energy proportionality is the relationship between how much a device is used and the electricity the device uses. The more someone uses a device, the better it can convert electricity. The goal of this principle is to maximize the energy efficiency of the hardware by ensuring a high rate of utilization.
Networking. Sent and received data travels across multiple devices that are connected in the network, including routers, switches and servers. Each of these devices contains embedded carbon and uses electricity. The objective is to decrease carbon emissions and increase the energy efficiency of the software by reducing the size of the data, as well as how far it must travel across the network.
Demand shaping. This describes moving the demand for computing power to another time or region and shaping it to match the supply that's available.
Measurement and optimization. Implementation of long-term, consistent optimization strategies can boost the overall carbon efficiency of software.
Benefits of Green Software
There are business benefits, as well as environmental benefits, to green software, including the following:
Less complicated architecture. Since the structure of green software typically has fewer interdependencies, green software systems are usually less complicated and, therefore, use less energy.
Faster computing speed. Less complicated software tends to be faster.
Cost savings. Green applications use less energy, meaning lower energy costs.
Brand loyalty. Today, most consumers gravitate toward companies with sustainable business practices and green products. Organizations that support environmental issues and reduce their carbon footprint by developing and/or using green software can build brand loyalty. Investors are taking note, investing in companies using strategies such as environmental, social and governance.
Finding and remediating Green deficiencies, source code patterns that drive excessive use of resources, helps organizations reduce greenhouse gas emissions caused by their custom-built applications.
For example, an application using SQL queries inside a loop consumes more CPU cycles (energy) than one where the loop logic is coded inside the query.
Our implementation
Using this Security Reviewer Green Software feature, you can check how much your Apps are compliant to CISQ Green IT using Automated Source Code Green Measure.
The following Programming Languages are supported:
Java
JavaScript
TypeScript
NodeJS
Pyhton
C#, vb.net
PHP
GO
Rust
Scala
Kotlin
C
C++
Objective-C/C++
Swift
ABAP
SQL (various dialects)
You have 5 Ratings:
Green. Your App is OK
Migrate. You have to change something in the Infrastructure to be Green
Update. You have to update some APIs
Refactor. You have to refactor the App
Deactivate. Rewrite the App is suggested.
What If feature is also provided, see related section above.
Green Software generates new Findings; they can audit like Security or Deadcode ones.
You can drill-down to Source Code, by pressing </> Source Code button.
Green Impact Index
Using Team Reviewer dashboard, you can combine scan results with a special Engagement Survey (part of Team Reviewer' standard), designed for Green Software, resulting inaì the Gree Impact Index. This survey comes with standard questions, that can be fully customized.
SAP-BIZEC
Security Reviewer supports Most Common SAP Vulnerabilities SAP BIZEC TEC/11, APP/11 and HANA/11.
The business application security initiative is a non-profit alliance that focuses on security defects in SAP business applications.
These applications are responsible for processing and managing the most critical business information and processes, which turns their protection into a key subject for private, governmental and defense organizations around the globe.
These days, many security professionals believe that SAP security is a synonym for "Segregation of Duties" and authorizations. While functional security is highly important, there are many other threats which imply higher levels of risk and are not usually properly assessed. The work of BIZEC is centered on risk rather than on technical details. This enables organizations to understand the impact of application security vulnerabilities and prioritize their mitigation accordingly
WASC
The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors using Security Reviewer WASC classification will have the ability to access a consistent language and definitions for web security related issues.
Security Reviewer has been evaluated using Web Application Security Scanner Evaluation Criteria (WASSEC).
DISA Control Correlation Identifier Version 2
Defense Information Systems Agency (DISA) organizations are strictly regulated and must ensure their systems are securely configured and that the systems comply with the applicable security policies. According to the Information Assurance Support Environment (IASE), who maintains the Control Correlation Identifier (CCI) list, and provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies. Security Reviewer suite provides references to those controls inside the Reports and the dashboard, Team Reviewer.
NIST Special Publication 800-53 Revision 5
This NIST SP 800-53 database represents the controls defined in NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. These next generation controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience. Security Reviewer suite provides references to those controls inside the Reports and the dashboard, Team Reviewer.
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.