To ensure accurate risk severity, Security Reviewer Suite correlates the results from across its multiple analyzers (SAST, DAST, IAST, Software Composition Analysis and Firmware Analysis). This provides an accurate picture of your Application's security and ensures development is addressing the most significant issues first.

Security Reviewer identifies the root cause of the problem - not just the symptom, providing line-of-code level details for more than 1100 validation rules for 40+ programming languages, compliant with the best international standards like OWASP 2017, Mobile OWASP 2016, CWE, PCI-DSS 3.2 and more.

We do not offer Consultancy Services directly to Customers. Beware of false Security Reviewer 'experts'. To ensure Project's success, we offer a Certification Program mandatory for every Consultancy Firm using our Products in a Consultancy Project at Customer's site.

bug_report

Application Inspection

It provides root-cause identification of vulnerabilities in source code and libraries. Security Reviewer is guided by the largest and most comprehensive set of secure coding rules and supports a wide array of languages, platforms, build environments and integrated development environments (IDEs). Compliant with: OWASP, CWE, CVE, CVSS, MISRA, CERT.

remove_red_eye

Dynamic Analysis

Dynamic Reviewer is an hybrid solution. You can inspect your web application during running, during the Development Lifecycle. Its special PenTest features, allowing to explore vulnerabilities in your Web Applications.

widgets

Firmware Analysis

Firmware Reviewer provides in-depth firmware analysis (binaries, file systems, containers, virtual machines, IoT, UEFI, Appliances, Network Devices, Smart Meters, Surveillance devices, Drones, etc.), allowing to explore vulnerabilities at the same time to keeping the software securely in your own hands, at your premises.

smartphone

Mobile

Mobile Reviewer is built on the software-as-a-service (SaaS) model, enabling enterprises to get on-demand security assessments of their Mobile Apps. Mobile Reviewer frees enterprises from having to spend resources on the purchase of software or Mobile device simulators, on hiring software security experts and consultants to operate it, and on constant maintenance to keep effective. With Mobile Reviewer, enterprises simply submit Apps through an online platform and quickly get back test results.

low_priority

Forget about False Positives

Our Rule Engine with its internal multi-threaded, optimized state machine based on Dynamic Syntax Tree, is the fastest in the market. It does not need any internal or external DBMS to run, and it is fully extensible via XML. Its unique capability to reconstruct an intended layering, makes it an invaluable tool for discovering the architecture of a vulnerability that has been injected in the source code, with very rare cases of False Positivies.

settings

Nothing left Uncovered

Supported Programming Languages: C#, Vb.NET, VB6, ASP, ASPX, JAVA, JSP, JavaScript, TypeScript, eScript, Java Server Faces, APEX, Ruby, Python, R, GO, Kotlin, Groovy, Flex, ActionScript, PowerShell, LUA, HTML5, XML, XPath, JSON, C, C++, PHP, SCALA, Rust, IBM Streams SPL, Objective-C, Objective-C++, SWIFT, COBOL, JCL, RPG, PL/I, ABAP, SAP-HANA, UiPath, BPMN, BPEL, SAIL, PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, ANSI SQL, IBM DB2, IBM Informix, MySQL, FireBird, PostGreSQL, SQLite, MongoDB.

exposure

Estimate your Effort

Fully configurable OMG Automated Function Points (AFP) and NESMA FPA (ISO 24570:2018) functionalities are provided as well as a modern software sizing algorithm called Average Programmer Profile Weights (APPW © 2009 by Logical Solutions), a successor to solid ancestor scientific methods as COCOMO, REVIC, COSMIC-FFP and Backfired Function Points, that are also provided applying Motorola© six-Sigma methodology, QSM© and Capers Jones (SRM) algorithms.

network_check

All you need is Quality

Software Security + Software Quality = Software Integrity. Quality Reviewer evaluates regressions and understands changes in the source code using automated Software Metrics visualization (SW complexity, size and structure Metrics, Halstead Metrics, Chidamber & Kemerer, Mood, QMood, Cognitive Metrics), as well as Effort Estimation and reporting features. It helps to keep code entropy under control, be it in house development or outsourced maintenance projects.

call_made

SQALE Dashboard

Security Reviewer is an Official SQALE tool. SQALE is a methodology for reporting Security, Quality, Dead Code and Best practices as well as Technical Debt in a unique Dashboard. Technical Debt is the estimated man-time that would take to fix the issues. Rules and formulas can be created and customized to better match your teams' needs and habits. Nowadays, the Technical-Debt metaphor has been widely adopted by the software industry, standardized by ISO 9126 and ISO 25010.

autorenew

Continuous Integration

Security Reviewer provides seamless bi-directional integration with existing lifecycle tools to make Static Analysis a natural part of your SDLC process, including market-leading CI/CD (Jenkins, CloudBees, Azure DevOps, GitLab CI/CD, Concourse-ci and Atlassian Bamboo among the others), popular IDEs (Eclipse, Visual Studio, IBM Rational Team Concert, NetBeans, Intellij IDEA, etc.), Source Control Management (SCM), Code Coverage, Bug Tracking, Build and Application Lifecycle Management (ALM) solutions. Surface and remediate defects directly from within your Pipeline

developer_board

Flexible Deployment Model

Security Reviewer realises that to gain acceptance within enterprise class IT organizations, deployment models must respect official policies. The external server model sometimes provokes resistance as well as old-fashioned desktop apps. In response to such concerns Security Reviewer has a ‘Hybrid’ deployment strategy, which converts Security Reviewer into a flexible toolset that can adhere to any corporate deployment model. You have REST API ed., Continuous Integration ed., Server ed., Developer ed., Desktop ed. and SR Connect. The last is the hybrid one. SR Connect is built on a set of services according to the Service-Oriented Architecture concept and allows different Security Reviewer user spaces to be hosted independently of each other and to support very large scale deployments. Your source code will never leave your desktop. Reporting is bases on AES-256 encryption through a Secure Channel.

library_books

Software Composition Analysis

96.8% of developers rely on open source components. Security Reviewer SCA analyzes all dependencies of your application on 3rd-party libraries and discovers: Outdated Libraries, Blacklisted Library, Discontinued Libraries, Vulnerable Libraries (OWASP A9 - Avoid Using known vulnerable Components), Vulnerable Frameworks, Blacklisted Licenses, License Conflicts, Suspicious Licenses, Poor Man Copyrights, SPDX Bill Of Materials, etc. publishing results to a bunch of Dashboards, like OWASP Dependency Track, ThreadFix, SonarQube, CodeDx, Micro Focus Fortify SSC, Kenna Security or directly inside your preferred CI/CD platform, like Jenkins, CloudBees, Azure DevOps, Concourse-ci, GitLab CI/CD or Atlassian Bamboo. It supports the larger list of programming languages in the market. Further, Security Reviewer SCA fully integrates with JFrog Artifactory, Sonatype Nexus Pro and OSS Index.

dashboard

Container Security

Containers are becoming the standard form in which applications are packaged and executed, so the need to protect not only the application itself but the entire Container against open source vulnerabilities is growing. With its unique developer-first approach, our solution will seamlessly integrate with the various development and runtime platforms throughout the SDLC – providing Deep Container Analysis, automated vulnerability remediation, thanks to our leading vulnerability database. Support for: Docker, Kubernetes, OpenShift, MesoSphere/D2IQ, Rancher, Quay, Singularity, Pivotal CF and any container compliant to APPC specifications. Developers can do continuous vulnerability detection and remediation in the DevOps pipeline by deploying our plugins for CI/CD tools, or via REST APIs