Code Dx, the Platinum Award Winner in the 2017 ‘ASTORS’ Homeland Security Awards Program for Best Cyber Security for Application Management, is pleased to announce Code Dx Enterprise has been nominated to compete in the 2018 ‘ASTORS’ Awards Program.
“Application security testing (AST) has become a necessity as the application layer is now the most common attack vector,” explains Anita D’Amico, Ph.D., CEO of Code Dx.
According to the Department of Homeland Security (DHS), up to 90% of cyber incidents are traceable to software flaws that were exploited by attackers.
There are many AST tools and techniques (i.e. static, dynamic, hybrid) to help software developers and security analysts find vulnerabilities during all stages of the software development lifecycle, but the truth is, there is no one tool that will catch every weakness.
Developers need to, and do, use many tools to secure their applications. Additionally, despite the prevalence of so many AST tools, many developers and security analysts simply don’t use these tools as prescribed because of cost and operational obstacles.
These obstacles include:
- Difficulty in building security testing directly into the software development or DevOps process
- High cost of using multiple tools
- Weeks of manpower needed to combine and correlate the findings from multiple testing tools into one format for easy remediation and reporting, and
- Weeks of time prioritizing thousands of vulnerabilities, so that the most critical and those non-compliant with government regulations get fixed first.
Code Dx, Inc. understands these challenges, and developed the Code Dx Enterprise Application Vulnerability Manager to help secure the software supply chain by providing an easy-to-use and affordable application vulnerability correlation and management solution, enabling organizations to overcome these obstacles that are deterrents to using AST tools.
This breakthrough product automates many of the manpower-intensive activities needed to run AST tools, consolidates the results, and prioritizes the reported vulnerabilities based on industry and regulatory standards.
“Our Application Vulnerability Manager, Code Dx Enterprise, helps secure the software supply chain by providing an easy-to-use and affordable application vulnerability correlation and management solution that enables organizations to leverage the power of multiple open-source and commercial AST tools, added Dr. D’Amico.
“With Code Dx Enterprise, organizations achieve greater vulnerability coverage, and a better assessment of overall software security risk, in less time, and with fewer resources.” Ken Prole, CTO of Code Dx.
In an environment where skilled security analysts and developers are in short supply, “doing more with less” is a must – the breakthrough in Code Dx Enterprise is this ability to amplify the effects of an AppSec teaming of people and tools to achieve higher-value results in less time, with less effort.
Code Dx Enterprise takes in reports of vulnerabilities produced by a wide range of commercial and open-source static and dynamic tools, together with those found by manual code reviews, automatically correlates them, and removes duplicates.
Using Code Dx throughout your AppSec testing cycle will dramatically reduce your testing time, letting you get your product into your customers’ hands under budget and on schedule. It also automatically checks the vulnerability status of third-party libraries that may be built into the code.
Results are easily prioritized and, through Jira integration, assigned for remediation.
It even maps findings to industry and government standards, so organizations can identify vulnerabilities that are potential violations of HIPAA, PCI, or DISA STIG regulations.
Finally, Enterprise exposes its work to developers from within their integrated development environment, so developers and security analysts can work together to conduct their security tests and remediate the problems within their normal workflow.
In April 2018, the company released Code Dx Enterprise 3.0, which now offers Hybrid Analysis Mapping capabilities, bridging mappings between static and dynamic software analysis tools for improved vulnerability prioritization.
This new capability correlates the results of SAST and DAST tools enabling users to see which of the source code weaknesses are actually exploitable from the perspective of an external attacker. With the perspectives and techniques used by SAST and DAST tools being very different, this ability to combine the outside-in approach of DAST tools with the inside-out approach of SAST tools makes it easy for users to see the most critical true positives that need to be fixed first. With hybrid analysis users are able to see where to apply their resources to fix real problems in code that are, without question, exploitable by an attacker.