The new release, Code Dx 1.6, features integration with Microsoft Visual Studio and Eclipse, as well as Git and Jenkins, enabling developers to more effectively identify, report and fix weaknesses throughout the software development lifecycle.
"Code Dx helps eliminate weaknesses in software before hackers have a chance to exploit them," said Anita D'Amico, director of Secure Decisions. "Developers can simply feed their source code into Code Dx any time during the software development lifecycle, and Code Dx automatically selects and runs the appropriate open-source SAST tools for each language in the software code base. The primary focus of our development team for version 1.6 was integration. By providing seamless integration with popular development tools, Code Dx enables a more streamlined process to continually include security in the software development lifecycle."
The number of U.S. data breaches reached a record high in 2014, increasing 27.5 percent from 2013, according to the Identity Theft Resource Center. Industry experts and the Department of Homeland Security (DHS) have traced most compromises to poorly written software. By leveraging Static Application Security Testing (SAST) tools, vulnerabilities can be identified during the development cycle and as part of the acquisition process.
By providing plug-ins for the Visual Studio and Eclipse integrated development environments (IDEs), Code Dx eliminates a major step for developers during the testing process, saving time. Developers can now remain in the Visual Studio or Eclipse environment to find bugs and then fix them, eliminating the need to go back and forth between the Code Dx Web interface and IDE. They can also double-click on anything in the report and see the relevant source so that an issue can be fixed right then and there.
Also, through its integration with the popular Git version control system for software developers, Code Dx users now just need to configure it once and point Code Dx directly to their source code repository, and Code Dx will then automatically fetch the source and run it through the scanners. This saves users from having to package up their source code each time, push it to Code Dx and scan it.
Moreover, tight integration with the Jenkins continuous integration server for Java environments means the Code Dx plug-in can sit on the same project. As Jenkins processes the code and finds any errors, it can then pass artifacts over to Code Dx to be scanned for vulnerabilities.
Studies show that more than 80 percent of computer attacks are traceable to vulnerabilities in software inadvertently placed there during the development cycle. Code Dx helps developers and security analysts find, prioritize and visualize vulnerabilities in Java, C++, C# and Ruby on Rails source code.
Developed under the DHS Science & Technology (S&T) Directorate Small Business Innovative Research (SBIR) program, Code Dx's visual analytics help engineering professionals — including software developers, security auditors, compliance officers and quality assurance engineers—triage and prioritize detected software vulnerabilities for effective remediation. It has been featured on DHS's Software and Supply Chain Assurance Website.
Code Dx is a software assurance analytics tool that consolidates and normalizes software vulnerabilities detected by multiple code analysis tools. Its visual analytics help triage and prioritize software vulnerabilities for efficient remediation. It was designed and developed to address the security needs of software developers, security analysts, security auditors and chief information security officers (CISOs).