Making a feature-rich, highly-usable, performant software is far from complete without security. Because spending tens of thousands of precious hours means nothing when someone hacks your software ruining your business and reputation.
It’s easy to stay one step ahead of the hackers when software stakeholders have the upper hand; the authority to implement, test and protect the code itself.
CodeThreat statically tests your code and helps you locate, prioritize and mitigate security weaknesses.
CodeThreat is a static application security testing(SAST) solution. It uses scientifically proven techniques with approximation to analyze a codebase at rest, collects security related information, calculates data flows, searches for various well-known security weaknesses and as a result produce claims. These claims are usually whether the targeted codebase is vulnerable to scoped weaknesses or not.
With CodeThreat custom rule engine, we have wide language and framework support without sacrificing quality.
A critical question that every security static code analyzer solution has to answer is this; How well do I track "hacker sent input values" across the target software?
The answer determines the quality of the solution because if we can't trace data across a code, then we can't locate a true bug. One way to figure out the answer to this question is the Youden Index, which is an accepted way of summarising the performance of a diagnostic test. Diagnostic test in our case is security static code analysis. An open testbed is required to measure the quality of data trace of a solution and use it as a yardstick to compare with others.
So, we developed and published FlowBlot open for everyone.
Graphic at right presents the comparison of popular security code analyzers against FlowBlot using their normalized Youden Indexes. You can also try your static code analyzer against FlowBlot in order to see how well do they actually perform about tracing data. You can read our blog to learn more about terms like precision, soundness, false positives, false negatives and such.
With CodeThreat IDE plugins, developers have the opportunity to security check their own code within their IDE such as Visual Studio, IntellijIDE before anyone else, including testers, security auditors and of course hackers. Issues are also coupled with description, mitigation and reports in order to help developers gain a proper perspective.
With CodeThreat Standalone Analyzer(CLI), you can easily test your code against security issues with or without your favorite continuous integration tool. Armed with detailed reporting capabilities you can inform all the related project stakeholders and prevent a critical security issue accidentally slipped into your production environment.
Development shops may need to handle a lot of codebase updates daily. CodeThreat provides ready to use DevOps plugins and APIs to help maintain security without breaking your software delivery cycles. You can use our DevOps plugins to deliver stable, vulnerability free software products to your customers within your development pipelines.
CodeThreat provides a web portal that software security stakeholders use to manage reported code issues, to view secure development performance, to integrate with third party SIEM or ticket solutions, to be able to consume data through a rich API. The portal also presents a variety of ready to use analytic reports, such as root cause or trend diagrams.
It's super easy to install CodeThreat engine. Moverover, there's a no build requirement. Just show the CodeThreat where the code resides and get results.
You can extend the features of CodeThreat against issues specific to your codebase, such as writing custom rules and fine-tuning dynamic trust levels for better prioritization.
Same security issues pose different security risks across and within software projects. CodeThreat has a dynamic risk calculation method builtin to the core.
CodeThreat employs innovative and intuitive static code analysis techniques in order to calculate data flows and collect security related information for security weaknesses.
Bedirhan Urgun has been working in the field of software security for over 15 years. He holds a BS in Computer Science from Bilkent University and MS in Computer Engineering from WSU. While software security training and static code analysis form the foundation of his career, he has also taken responsibilities in the fields of vulnerability management and penetration tests. He believes in sincere, collective hard work and he is thrilled to be a part of CodeThreat, mentoring and supporting passionate individuals towards their vision in the field of software security.
Selahattin Zoralioğlu holds a BS in Industrial Engineering from Bosphorus University in Istanbul and MBA from Kellogg School of Management. During his tenure with Pamplona Capital, a private equity fund based in London, he successfully invested in Europe and also led the fund’s investment efforts in Turkey. He also worked at the investment banking division of Merrill Lynch in London, focusing on mergers and acquisitions and at McKinsey & Company, focusing on strategy development and operational improvement for companies in Turkey and the Gulf region.
Deniz Çevik is an information security master with over 20 years of experience in all levels of professional hierarchy. He holds a BS in Computer Engineering from Trakya University and MBA degree from Yeditepe University. He has extensive practical knowledge over more than thousands of penetration security tests and consultancy services. He is the CTO of BizNet Bilişim. Being also part of the CodeThreat vision, he brings a vast amount of practical security vulnerabilities knowledge to the software security table and customer success experience to the product roadmap.