We have build an environment that is just like an IDE, but tailored for security work. The added features help security experts in code review in many ways.
Not by fully automating: we see that full automation tools just are not good enough: too many false positives while at the same time missing out vulnerabilities.
We believe in the symbiotic cooperation of man & machine. Our review environment therefore augments the work of the human security expert.
The features of the review environment automate part of the human work, making code review more fun. And more efficient and effective: up to 100% performance increase.
How does our technology work?
The review environment helps security analysts to codify their knowledge. This is greatly illustrated by the fundamental feature of the review environment: the ability to set codemarks. With a codemark you highlight code as 'interesting' from a security perspective. You describe the security implication of that piece of code, and link it to other codemarks to mark a vulnerable path through the codebase.
We believe that the life of security experts (and their customers...) can be made a lot easier. An example is how the review environment enables communicating vulnerabilities to the final beneficiary: the software developer.
Currently a pentest report or vulnerability scan is a thick report. With the review environment, you bundle codemarks into a vulnerability, and can easily send that vulnerability to the issue tracker of the software developer.
The review environment has many more features, some small and some high impact features. All these features contribute to a better performing security expert, in 3 ways:
1. Increased performance
Security experts rarely have enough time for all the work there is in the market. Only a 30% increase would already have a great impact in the market. The review environment helps you to work up to 2x faster, up to 10x faster for specific tasks.
2. Improved cooperation
Working with codemarks makes it possible to work together in the same codebase. Seniors can check the work (= the codemarks) of juniors and give feedback. And since the review environment is web based, realtime cooperation is possible.
3. Less hassle, more fun
In our ideal world security experts and ethical hackers just focus on the puzzle, not the hassle (of setting up projects, writing reports, etc.). The review environment enables that, so experts can focus on the fun stuff.
The software security industry is a young industry, so it makes sense efficiency was never a high priority. Now things have changed. High value software deserves high value security review. So it is time for an efficiency increase.
The review environment is web-based, so hosted in the cloud. With Git being so commonly used, sharing code online is not as big an issue as it was 5 years ago.
We do realize that for some companies that might still be challenging to host all the software (of their customers) in the cloud. We also offer on-premise solutions to host the review environment at your desired location, so contact us to discuss how that is possible for you.
Is the review environment for all languages?
Yes, the review environment can be used for all languages. Most features (e.g. Codemarks) are language independent. Some of our features (e.g. taint analysis) work slightly different in each language, so there we have to adjust the feature per language. Let us know if you want to know if a specific features is available in the language you need it for.
Is the review environment finished?
As all software developers know, of course our 'baby' is never finished. And in our case that is even more so, since there are so many features to be build. However, the review environment is ready to use. We have been using the review environment ourselves since early 2021, and love the way it works. But it's never perfect, and it might have small bugs at the moment (medio 2022). We realise that, and that's why we react very quickly on bug reports (and that's also why we give quite interesting discounts for now).
Is source code safe in the review environment?
Good question, we always like to talk about OUR security :).
Without going in detail here: we know how secure software looks, so we wrote the software of course in a secure way. But we also realize that it's difficult to review your own code, so we invite external hackers to do a pentest on our environment. If you want to know more, let us know.
Is the review environment locally hosted or in the cloud?