Shulou(Shulou.com)06/01 Report--

Duanma enterprise static source code scanning and analysis service platform (DMSCA) is a unique source code security vulnerability, quality defect and logic defect scanning and analysis service platform. The platform can be used to identify, track and repair technical and logical defects in the source code, allowing software development and testing teams to quickly and accurately locate security vulnerabilities, quality and business logic defects in the source code, and quickly fix them according to the professional and pertinent repair suggestions provided. Improve the reliability and security of software products. At the same time, it is compatible with and meets the compliance requirements of international and domestic related industries.

DMSCA is based on the accumulation of static analysis technology and research and development efforts of Duanma Technology for many years, after working with a number of domestic and international well-known universities and experts to analyze the advantages and disadvantages of global static analysis technology, combined with the technical status of the current development language, the development trend of source code defects and the market. The new generation of enterprise analysis scheme of source code is developed to identify, track and fix the technical and logical defects of the source code. This scheme overcomes the shortcomings of high false alarm rate (False Positive) and false alarm rate (False Negative) of traditional static analysis tools. Break the monopoly of foreign products in high-end static analysis products, form China's independent and controllable high-end source code security and quality scanning products, and support China's own national standards for source code testing (GB/T34944-2017 Java, GB/T34943-2017 C +, GB/T34946-2017 C #), committed to providing more direct and personalized platform customization and localization services for enterprises in China.

DMSCA supports scanning and analysis of security vulnerabilities and quality defects in mainstream programming languages, and supports customized platform interfaces, reports, and rules to meet the needs of customer-specific security policies, security standards and R & D operation environment integration. Since its launch, the products have been favored by many customers in China. These customers include, but are not limited to, Fortune 1000 companies in banking, online payment, insurance, power, energy, telecommunications, automotive, media entertainment, software, services and military industries.

I. system architecture

II. System components

III. Product interface

Fourth, integrate SDLC

V. main functions and features

The  operating system is independent. Code scanning does not depend on a specific operating system, as long as a scanning server is deployed in the enterprise, you can scan code in other operating system development environments.

The  compiler is independent and the development environment is independent, so it is simple, fast and unified to build the test environment. Due to the unique virtual compiler technology, code scanning does not need to rely on the compiler and development environment, and does not need to install the compiler and test environment for the code of each development language, but only needs to log in to the we server through the client, browser and development environment integration plug-ins.

 tools cost less to learn, train and use, minimizing the impact on development progress. Because the compiler, operating system and development environment are independent, users do not need to learn how to compile code, debug code, how to scan test code on each platform, and do not need to look at the tedious user rules on each platform. Because the end-to-end code scanning system service only needs to provide the source code to scan and give accurate scanning results.

 low false positives. The DMSCA Enterprise Service comprehensively analyzes all the paths and variables of the application during the scanning process. Accurately analyze the results, verify whether the possible risks really lead to security problems, automatically eliminate noise information, the scan results are almost the final analysis results, and the false positive rate (False Positive) is almost zero. It greatly reduces the labor cost of audit analysis, greatly saves the time of code audit, and wins more development time for the development team.

 security vulnerabilities cover a wide range of areas and are comprehensive (low underreporting). Hundreds of security vulnerability checks are suitable for any organization, supporting the definition of software vulnerabilities by the latest international authoritative organizations such as OWASP, CWE, SANS, PCI, SOX, GDPR, etc., as well as the Chinese national source code security testing standards (GB/T34944-2017 Java, GB/T34943-2017 C +, GB/T34946-2017 C #). With a wide range of vulnerabilities and comprehensive security checks, its custom query language allows users to flexibly formulate the required code rules, greatly enriching the organization's specific code security and code quality needs.

 security query rules are clear and fully publicly implemented. Rules are clearly defined and fully expose the definition and implementation of all rules so that users know clearly how tools define risks, how to find risks, and transparent language risks. Let the user know what the tool has done and not what it is supposed to do. Instead of giving the user a black box, the user can not understand the details and defects of the tool, and can not avoid the risk of the tool (such as false positives and false positives) in the code audit process, such as using manual or other means to find the problem that the tool can not locate.

Customization of  security rules is simple and efficient. Due to the disclosure of the details and syntax of all rule implementations, users can quickly modify rules or refer to existing rule statements to customize the rules they need, rule learning, simple and efficient definition. Can quickly realize the organizational software security strategy.

 business logic and architecture risk survey. The Duanma code scanning system service can do dynamic data impact, control impact and business logic research and investigation on any one code element (vocabulary) of all scanned code. Analyze the security risks specific to the code logic and architecture, and finally define rules to accurately find these risks. This is the only static technology that can dynamically analyze business logic and software architecture.

Visualization of  × × path, and displayed in 3D form. The × × × mode and path of each security vulnerability are fully presented and displayed in 3D graphics, which is convenient for security problem investigation and analysis.

 supports mainstream languages: Java, JSP, JavaSript, VBSript, C #, ASP.net, VB.Net, VB6, CCharb Cure +, ASP, PHP, Python, Swift, Ruby, Perl, PL/SQL, Android, OWASP ESAPI, MISRA, Objective-C (iOS), API and third-party languages.

Mainstream frameworks (Framework) supported by : Struts, Spring, Ibatis, GWT, Hiberante, Enterprise Libraries, Telerik, ComponentArt, Infragistics, FarPoint, Ibatis.NET, Hibernate.Net [*], MFC. Support can be quickly customized for customer-specific frameworks.

 service independent, comprehensive team scanning support. Run as a server. Developers, managers, and auditors can log in to the server from anywhere with their identity credentials for code scanning, security audit, team, user, and scanning task management.

 highly automates scanning tasks. Automatic integration of version management (SubVersion, TFS, Git, etc.), SMTP mail server and Windows account management, automatic scanning code update, automatic scanning, automatic alarm and automatic email notification, etc.

 supports multi-task queuing scanning, concurrent scanning, cyclic scanning, and scheduling scanning according to time, which improves the efficiency of team scanning.

 cloud service implementation: supports source code security scanning of "cloud services" across Internet implementations.

 supports the recommendation of the best repair location, and the graph shows the best repair point.

 supports customization of the platform: rules, policies, interfaces, reports, processes, specifications and interface integration.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.