Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Web Application Security with Automated Static Source Code Analysis and Verification
Armorize CodeSecure™ is the most advanced web application security solution of its kind. This web-
Multi-Language Support based automated Static Source Code Analysis and Verification platform provides compiler-
independent assessment of web application source code, detecting vulnerabilities and offering
J2EE (Java, JSP)
guidance on remediation. CodeSecure™ is highly efficient in identifying vulnerabilities such as Cross
.NET Site Scripting (XSS) and SQL Injection and, as an appliance-based browser-accessible solution, it
features ease of installation and configuration with minimal overheads and maximum scalability
ASP
across the enterprise. By deploying CodeSecure™ early in the Software Development Life Cycle
PHP (SDLC), vulnerabilities are identified, understood, and remedied by the developers with minimal cost
and impact on project progress.
ec
s e i r
ive
lifecycle, and may locate the exact vulnerable line of code, the process
ific
a
em
le
Del
at
en
ion
uc
. elo
A
Te
D e
Pr
s
g d
ties within web application source code. Built on 3rd generation technology,
i l
Bu this non-intrusive process scans source code during development, pinpointing
the exact vulnerable source code statement, highlighting its propagation through
the application and providing specific guidance for remediation. By detecting vulner-
abilities early in the development process, developers have time to properly address the root
Armorize CodeSecureTM
Automatic Source Code Analysis and cause well in advance of deployment. CodeSecure™ is highly accurate and, as it is automated, it offers
Verification tool identifies and recom- a low-cost security process that is repeatable throughout the Software Development Life Cycle
mends fixes for security flaws in source (SDLC) allowing measurement of progress and improvement. CodeSecure™ is based on award-
code during the early stages of the Web winning technology which, combined with its ease of installation, configuration and management
application Software Development Life makes it the most advanced, most effective, and most comprehensive Source Code Analysis solution
Cycle (SDLC). on the market.
How Does CodeSecure™ Work?
As a compiler-independent static analysis and verification solution, CodeSecure™ leverages 3rd generation technology to detect
vulnerabilities in web application source code. During scanning, CodeSecure™ parses the code according to programming language
rules forming an overall picture of the application. Performing pure data-flow analysis on the code with control-flow analysis to address
doubling in state space for each conditional branch, it systematically checks for vulnerabilities and tainted variables. As CodeSecure™
is not based on attack signatures but on pattern-free algorithms, it determines the behavioral outcomes of input data by calculating all
possible execution paths. It is extremely effective in finding instances of code that make the web application vulnerable to exploits such
as Dataflow attacks, Cross Site Scripting (XSS), Injection (SQL, File, XPATH, reflection), File Inclusion, Malicious File Execution and Informa-
tion Leakage. Reports, which can be customized for executive, development and security personnel, provide a detailed trace between
the original vulnerable entry point and the exploit action, as well as risk assessment based on the depth, severity and scope of each
vulnerability.
CodeSecure™ Process
Executive
Entry Point Source Code Verification Report
Analysis Inter-procedural Analysis
Source Code Intra--procedural Analysis Vulnerability Security
Selection Control Flow Analysis Exploit Report
.php.jsp.asp Data Flow Analysis Analysis
Parsing Entry Point Analysis
Process Context Sensitive Analysis Development
Path Sensitive Analysis Report
secured by
armorize
Using CodeSecure™
CodeSecure™ allows project leaders to ensure timely completion of the source code analysis and verification process in five easy steps:
Create / Select a Project Create / Select Policy Create / Select Report Setting Start Scan View Assessment Report
Create / Assign Users Select Policy Rrules Select Reporting Schedule Manual or Automated Compare Assessment History
Import / Refresh Source Code Select Reporting Options Evaluate Policy Conformance
of a single appliance
• Deployment teams and IT professionals benefit from minimal installation effort, overhead and maintenance costs
• Senior Management benefits from the executive level reports at the project level, facilitating analysis of team performance as well
• Security and development personnel benefit from detailed technical reports highlighting security issues, coding flaws and
• Managers, Developers and Security Auditors can instantly view their personalized dashboards via Web browser without
extra client-side installation. This enables ongoing assessment and measurement of policy conformance, security awareness
processes and training initiatives
• Developers can leverage the appliance resources within their desktop IDE, analyzing their code and addressing vulnerabilities
immediately
CodeSecure™ Overview
CodeSecure™ Overview
CodeSecure™ was developed with Web application security in mind, and Armorize has
committed extensive energy and resources into developing an easily integrated, easily
managed secure coding framework. The rich features of CodeSecure™ are accessible via
either web-browser or through IDE plug-in from anywhere in the enterprise, providing
centralized management and administration of multiple source code analysis projects.
CodeSecure™
Enterprise
Personalized Assessment
Role-based Dashboard
Customized Report (html/pdf/xml)
Comprehensive Traceback
Intuitive Quick Help and Wizard
Multi-user, multi-group, multi-project capability
AD/LDAP Support
Export reports to WAF policy
CodeSecure™
WorkBench
Innovative Security Features
Learn-as-you-go Security plug-ins
Data-flow Analysis
Fix Suggestions
Quick Assessment
Easy File-explorer Navigation
On-the-fly Per-file/directory Scanning
HTML Report
CodeSecure™ WorkBench
CodeSecure™ WorkBench was designed for the individual developer. Downloaded directly
from CodeSecure™ Verifier, WorkBench integrates with the local IDE leveraging the appliance’s
enterprise-level resources to provide an easily navigable desktop environment in which source
code vulnerabilities can be detected, analyzed and removed.
TM
CodeSecure Applications
Vulnerabilities Coverage Web Application & Product Development
Cross-Site Scripting (CWE 79) In-house developed software relies heavily on periodic peer review and third-party manual code
SQL Injection (CWE 89) reviews to detect vulnerabilities before deployment.
Command Injection (CWE 77)
Scan it with CodeSecure™
File Inclusion (CWE 98)
The source code verification capabilities of CodeSecure™ can be used routinely to help developers
Resource Injection (CWE 99) detect and fix vulnerabilities as early and quickly as possible.
Information Leak of System Data (CWE 497)
Hard-Coded Password (CWE 259)
Open Redirect (CWE 601) Validation of Outsourced projects
XPath Injection (CWE 91) Checking the integrity of outsourced projects has always been a large drain on time, effort and
expenses since not every development member is a security expert.
API Abuse (CWE 227)
HTTP Response Splitting (CWE 113) Validate it with CodeSecure™
LDAP Injection (CWE 90) The automated static analysis and verification capabilities of CodeSecure™ get the job done by
Reflection Injection identifying security flaws in outsourced projects.
Tag Injection
Refinement of Advanced Penetration Testing
Developer Environment Many businesses use penetration testing tools as a security assessment measure to identify security
Plug-ins for Multiple IDEs vulnerabilities after products have already been developed or deployed. However, penetration testing
CodeSecure™ Standalone IDE suffers from limited and ambiguous countermeasures as it cannot tell developers which lines of code
are actually generating vulnerabilities.
From static source code analysis and verification with CodeSecure™ to real time web application protection with SmartWAF™ and
malicious code detection with HackAlert™, Armorize technologies' award-winning solutions are the culmination of years of
research and innovation.
Led by a number of internationally acclaimed security veterans and financed by top Silicon Valley investors, the company was
formed in 2005 with its headquarters in Santa Clara, CA, and its R&D centre in the Nan Kang Software Park in Taipei, Taiwan.
Armorize has a global customer base with clients from among finance, telecom, government and technology sector leaders.
CodeSecure and HackAlert are registered trade marks of Armorize Technologies Inc.
©2009 Armorize Technologies co., Ltd. All Rights Reserved.