Armorize CodeSecure™

Find Critical Vulnerabilities In Your Source Code

Web Application Security with Automated Static Source Code Analysis and Verification
Armorize CodeSecure™ is the most advanced web application security solution of its kind. This web-
Multi-Language Support based automated Static Source Code Analysis and Verification platform provides compiler-
independent assessment of web application source code, detecting vulnerabilities and offering
J2EE (Java, JSP)
guidance on remediation. CodeSecure™ is highly efficient in identifying vulnerabilities such as Cross
.NET Site Scripting (XSS) and SQL Injection and, as an appliance-based browser-accessible solution, it
features ease of installation and configuration with minimal overheads and maximum scalability
ASP
across the enterprise. By deploying CodeSecure™ early in the Software Development Life Cycle
PHP (SDLC), vulnerabilities are identified, understood, and remedied by the developers with minimal cost
and impact on project progress.

Why is Automated Source Code Analysis Necessary

Current software development practices tend to view security as a back-end issue that is frequently
“bolted-on” after development; typically through assessment, alteration and modification processes.
Solutions such as vulnerability assessment and penetration testing must be performed after
the application is completely up-and-running, leaving little time to address the root
Defi cause of detected vulnerabilities. They are also expensive, typically result in a large
c t ne
du Sp number of false positives and can rarely pinpoint the actual source of the
ro Re
qu vulnerability. While manual code review can be initiated earlier in the
rP

ec

s e i r
ive

lifecycle, and may locate the exact vulnerable line of code, the process
ific

a
em
le
Del

at

offers low repeatability and is extremely time consuming and costly.

Re

en

ion

CodeSecure™, Armorize Technologies’ patent-pending, leading-edge

ts

source code analysis and verification technology, is shifting this

Web Application paradigm by incorporating low-overhead, highly accurate automated
Development Process
security controls directly into the application development process at the
source code level.
t
en
pm

Fast Efficient Accurate Source Code Analysis with CodeSecure™

t
Q.

uc

. elo
A
Te

v CodeSecure™ offers accurate and efficient detection of security vulnerabili-

tin
od

D e
Pr
s

g d
Armorize CodeSecureTM
Automatic Source Code Analysis and
Verification tool identifies and recom-
mends fixes for security flaws in source
code during the early stages of the Web
application Software Development Life
Cycle (SDLC).
ties within web application source code. Built on 3rd generation technology,
i l
Bu this non-intrusive process scans source code during development, pinpointing
the exact vulnerable source code statement, highlighting its propagation through
the application and providing specific guidance for remediation. By detecting vulner-
abilities early in the development process, developers have time to properly address the root
cause well in advance of deployment. CodeSecure™ is highly accurate and, as it is automated, it offers
a low-cost security process that is repeatable throughout the Software Development Life Cycle
(SDLC) allowing measurement of progress and improvement. CodeSecure™ is based on award-
winning technology which, combined with its ease of installation, configuration and management
makes it the most advanced, most effective, and most comprehensive Source Code Analysis solution
on the market.
How Does CodeSecure™ Work?
As a compiler-independent static analysis and verification solution, CodeSecure™ leverages 3rd generation technology to detect
vulnerabilities in web application source code. During scanning, CodeSecure™ parses the code according to programming language
rules forming an overall picture of the application. Performing pure data-flow analysis on the code with control-flow analysis to address
doubling in state space for each conditional branch, it systematically checks for vulnerabilities and tainted variables. As CodeSecure™
is not based on attack signatures but on pattern-free algorithms, it determines the behavioral outcomes of input data by calculating all
possible execution paths. It is extremely effective in finding instances of code that make the web application vulnerable to exploits such
as Dataflow attacks, Cross Site Scripting (XSS), Injection (SQL, File, XPATH, reflection), File Inclusion, Malicious File Execution and Informa-
tion Leakage. Reports, which can be customized for executive, development and security personnel, provide a detailed trace between
the original vulnerable entry point and the exploit action, as well as risk assessment based on the depth, severity and scope of each
vulnerability.

CodeSecure™ Process
Executive
Entry Point Source Code Verification Report
Analysis Inter-procedural Analysis
Source Code Intra--procedural Analysis Vulnerability Security
Selection Control Flow Analysis Exploit Report
.php.jsp.asp Data Flow Analysis Analysis
Parsing Entry Point Analysis
Process Context Sensitive Analysis Development
Path Sensitive Analysis Report

secured by

armorize

Using CodeSecure™
CodeSecure™ allows project leaders to ensure timely completion of the source code analysis and verification process in five easy steps:

Select Report Review

Create Project Set Policies Run Scan
Setting Assessment

Create / Select a Project Create / Select Policy Create / Select Report Setting Start Scan View Assessment Report
Create / Assign Users Select Policy Rrules Select Reporting Schedule Manual or Automated Compare Assessment History
Import / Refresh Source Code Select Reporting Options Evaluate Policy Conformance

Any organization that has an interest in protecting valuable and business-critical

information will benefit from Armorize’s revolutionary technology.
• CSOs, CIOs and security analysts have access to an organization-wide source code analysis and verification solution with installation

of a single appliance

• Deployment teams and IT professionals benefit from minimal installation effort, overhead and maintenance costs

• Senior Management benefits from the executive level reports at the project level, facilitating analysis of team performance as well

as project status and performance

• Security and development personnel benefit from detailed technical reports highlighting security issues, coding flaws and

optimized strategies for vulnerability remediation

• Managers, Developers and Security Auditors can instantly view their personalized dashboards via Web browser without

extra client-side installation. This enables ongoing assessment and measurement of policy conformance, security awareness
processes and training initiatives

• Developers can leverage the appliance resources within their desktop IDE, analyzing their code and addressing vulnerabilities

immediately

CodeSecure™ Overview
 CodeSecure™ Overview
CodeSecure™ was developed with Web application security in mind, and Armorize has
committed extensive energy and resources into developing an easily integrated, easily
managed secure coding framework. The rich features of CodeSecure™ are accessible via
either web-browser or through IDE plug-in from anywhere in the enterprise, providing
centralized management and administration of multiple source code analysis projects.

CodeSecure™
Enterprise

Innovative Security Features

Built-in Parser and Transformer
Data-flow Analysis
Fix Suggestions

Personalized Assessment
Role-based Dashboard
Customized Report (html/pdf/xml)
Comprehensive Traceback
Intuitive Quick Help and Wizard
Multi-user, multi-group, multi-project capability
AD/LDAP Support
Export reports to WAF policy

Web 2.0 User Experience

Easy Web-interface navigation
No software installation & maintenance
Centralized Configuration
Centralized Security Policy
Automatic Email Reporting
Regular Scheduled Scan
Flexible Source Code Imports
CodeSecure™ Enterprise
At the heart of the CodeSecure™ environment is CodeSecure™ Verifier. This enterprise-level
pattern-free, static source code analysis and verification appliance provides a centralized
platform for developers, managers and security personnel to scan multiple projects across
multiple platforms and programming languages. With its ease of installation, setup and
integration with the source code repository, CodeSecure™ Verifier allows application devel-
opers to hit the ground running, incorporating a security mindset into their programming
methodology from the outset.

CodeSecure™
WorkBench
Innovative Security Features
Learn-as-you-go Security plug-ins
Data-flow Analysis
Fix Suggestions

Integrated Development Environemnt

Plug-ins for multiple IDE environments
Standalone Eclipse-based IDE
Comprehensive Traceback
Vulnerable Syntax Highlighting

Quick Assessment
Easy File-explorer Navigation
On-the-fly Per-file/directory Scanning
HTML Report
CodeSecure™ WorkBench
CodeSecure™ WorkBench was designed for the individual developer. Downloaded directly
from CodeSecure™ Verifier, WorkBench integrates with the local IDE leveraging the appliance’s
enterprise-level resources to provide an easily navigable desktop environment in which source
code vulnerabilities can be detected, analyzed and removed.
 TM
CodeSecure Applications
Vulnerabilities Coverage Web Application & Product Development
Cross-Site Scripting (CWE 79) In-house developed software relies heavily on periodic peer review and third-party manual code
SQL Injection (CWE 89) reviews to detect vulnerabilities before deployment.
Command Injection (CWE 77)
Scan it with CodeSecure™
File Inclusion (CWE 98)
The source code verification capabilities of CodeSecure™ can be used routinely to help developers
Resource Injection (CWE 99) detect and fix vulnerabilities as early and quickly as possible.
Information Leak of System Data (CWE 497)
Hard-Coded Password (CWE 259)
Open Redirect (CWE 601) Validation of Outsourced projects
XPath Injection (CWE 91) Checking the integrity of outsourced projects has always been a large drain on time, effort and
expenses since not every development member is a security expert.
API Abuse (CWE 227)
HTTP Response Splitting (CWE 113) Validate it with CodeSecure™
LDAP Injection (CWE 90) The automated static analysis and verification capabilities of CodeSecure™ get the job done by
Reflection Injection identifying security flaws in outsourced projects.
Tag Injection
Refinement of Advanced Penetration Testing
Developer Environment Many businesses use penetration testing tools as a security assessment measure to identify security
Plug-ins for Multiple IDEs vulnerabilities after products have already been developed or deployed. However, penetration testing
CodeSecure™ Standalone IDE suffers from limited and ambiguous countermeasures as it cannot tell developers which lines of code
are actually generating vulnerabilities.

Armorize Headquarters Refine it with CodeSecure™

5201 Great America Parkway Source code verification uses behavioral analysis to identify known and unknown vulnerabilities,
Suite 320, Santa Clara, CA 95054 pinpoints their location, and offers remediation advice.
U.S.A.
Office: +1-408-216-7893 Government & Military Zero-Day Exploit Detection
FAX: +1-408-583-4288 Cyber threats and information warfare have attracted attention to the security of widely deployed
open source software. Major legal, regulatory and compliance initiatives require application source
code analysis to detect potential Zero-Day exploits. With thousands of open source software applica-
Armorize Asia Pacific R&D tions in the public domain amounting to millions of lines of code, automated tools are required to
NanKang Software Park, San Chong Rd, complete this mission effectively and efficiently.
19-13, Building E, Office 553, 5th Floor,
Taipei, Taiwan Find it with CodeSecure™
Let the source code verification tool discover zero-day exploits before hackers take advantage.
Office: +886-2-6616-0100
Fax: +886-2-6616-1100

About Armorize Technologies Inc.

Armorize Technologies provides next-generation web application security solutions traversing the System Development Life Cycle
(SDLC).

From static source code analysis and verification with CodeSecure™ to real time web application protection with SmartWAF™ and
malicious code detection with HackAlert™, Armorize technologies' award-winning solutions are the culmination of years of
research and innovation.

Led by a number of internationally acclaimed security veterans and financed by top Silicon Valley investors, the company was
formed in 2005 with its headquarters in Santa Clara, CA, and its R&D centre in the Nan Kang Software Park in Taipei, Taiwan.

Armorize has a global customer base with clients from among finance, telecom, government and technology sector leaders.

For more information, please visit www.armorize.com

www.armorize.com

CodeSecure and HackAlert are registered trade marks of Armorize Technologies Inc.
©2009 Armorize Technologies co., Ltd. All Rights Reserved.