Software:Security Reviewer

From HandWiki
Revision as of 07:04, 6 August 2023 by MainEditor (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Security Reviewer
Developer(s)Knowledge Center
Stable release
2023-6.00.03 / August 1, 2023 (2023-08-01)
Operating systemCross-platform
Typestatic code analysis
LicenseProprietary
Website[1]

Security Reviewer is a solution intended for static code analysis of Software Projects, based on dynamic syntax tree. It analyze both source code and binary files and publishes a summarised view of the project Security and Quality progress. Security Reviewer is part of a suite of tools including SCA (Software Composition Analysis), DAST (PenTest), MAST (Mobile Binary Analysis) and Firmware Analysis.

The Quality Model used for static analysis is based on SQALE, ISO9126 maintanability, ISO/IEC 25010 , McCabe® Metrics, Chidamber & Kemerer Metrics Halstead Metrics and MOOD.

The Security Model is based on OWASP, CWE, CVE, CVSS, WASC, and MISRA standards.

Description

Security Reviewer executes code checks according most relevant Secure Coding Standards for commonly used programming languages. It integrates between Static Analysis (SAST) and IAST (Dynamic) analysis, directly inside Programmers IDE (Eclipse, Visual Studio). The IDE plugins are Open Source and free, independent of the number of programmers that are developing. Contract management may rely on code analysis to define levels of quality between contractors: e.g. cloning ratio, complexity of functions, specific ratings. By using such constraints stakeholders may accept or refuse a delivery based on the analysis result of the product. Using built-in design 1000+ validation rules, during Code Review process it can highlight violations and even suggest changes that would improve the structure of the system. it creates an abstract representation of the program, based on Modules, Edges and Nodes. The Rule Engine with its internal multi-thread, optimized state machine is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code.

Quality Reviewer evaluates regression and understands changes in the source code using automated Software Metrics visualization (SW complexity, size and structure Metrics, Halstead Metrics, ISO 9126 maintainability, ISO 25010, Chidamber & Kemerer, SQALE), as well as Effort Estimation (WMFP, FP, COCOMO, Revic) and reporting features. It helps to keep code entropy under control, be it in house development or outsourced maintenance projects. The information collected, analysed and visualised with the SQALE methodology is easily comprehended and gives you an incomparable insight into your software development. That facilitates the communication at all levels, from the IT directors to the developers and vice versa.

How can a technical manager communicate the positive effects of his or her work if the software quality remains largely invisible? How can budgeting departments, decision makers and internal customers be convinced of the necessity of the quality and productivity enhancing measures or the complexity of a particular work request?

Quality Reviewer makes a significant contribution in this area. SQALE enhanced reporting feature gives an overview of your entire software landscape which even non-technical individuals can understand easily. Managers and decision makers can see evidence of the quality of the system and the productivity increases achieved and can therefore be more easily convinced of measures such as software quality assurance. In reverse, developers and team leaders can show managers and directors what they have achieved. You can create custom Anti-Patterns based on metrics’ search queries, using graphs to interpret the impact of the values. When metrics based searches to quick access to elements of interest, saving these queries serve as input for custom analysis. Primitive Metrics: McCabe® Cyclomatic Complexity (vG), Essential Complexity (evG) Normal vG, sum vG, ivG, pvG, Cyclomatic Density, Design Density, Essential Density, Maintenance Severity, pctcom, pctPub, PUBDATA, PUBACCESS. SEI Maintanability Index (MI3, MI4), LOC, SLOC, LLOC. Halstead Length, Vocabulary, Difficulty, Effort, Errors, Testing Time, Predicted Length, Purity Ratio, Intelligent Content. OOP LOCM, Depth, Weighted Methods Complexity (WMC), LCOM, LCOM HS, CBO, DIT, RFC, NOA, NOC, NPM, FANIN, FANOUT, #Classes, #Methods, #Interfaces, #Abstract, #Abstractness, #DepOnChild.

Computed Metrics: let you define a new higher-level metric by specifying an arbitrary set of mathematical transformations to perform on a selection of Primitive metrics. A number of Computed Metrics are set by default, like: Class Cohesion rate, Class Size (CS), Unweighted Class Size (UWCS), Specialization/Reuse Metrics, Logical Complexity Rate (TEVG), Class Complexity Rate (TWMC), Information Flow (Kafura & Henry), ISBSG Derived Metrics, Structure Complexity, Architectural Complexity Metrics, MVC Points (Gundappa).

Supported Programming Languages: C#, Vb.NET, ASP, ASPX, JAVA, JSP, JavaScript, Ruby, Python, Groovy, Flex, ActionScript, HTML, XML, XPath, C, C++, PHP, Objective-C, COBOL, ABAP, PL/SQL, T/SQL, Teradata SQL, ANSI SQL, IBM DB2, IBM Informix, MySQL, FireBird, PostGreSQL, SQLite.


See also

References


External links