Policy Enforcement
For security, Parasoft's core static analysis capability
can easily be configured to automatically monitor adherence to
custom security policies. The rule library includes hundreds of rules that deliver "out-of-the-box" monitoring
of many common policy requirements. These static analysis rules can be customized as needed to match specific
policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements.
Moreover, rule names, descriptions, and severities can be mapped to the organization's policies,
establishing a fully-customized policy management and reporting interface.
Security Templates
In addition to enforcing organizations' unique security policies, Parasoft's static code analysis automatically
identifies common security vulnerabilities with the most comprehensive static analysis rule set in the industry.
The rules span the industry's most popular technologies and platforms, including Apache Axis, WebSphere,
Hibernate, servlets, Struts, and EJB 3.
Categories of Vulnerabilities Addressed*
- Input-based attacks
- Backdoor vulnerabilities
- Unsafe environment configuration
- Weak security controls
- Deadlocks and race conditions
- Erratic application behavior
- Unsafe error handling and logging
- Exposing sensitive data
Rules for Secure Application Development*
- Protect against injections
- Prevent exposure of sensitive data
- Protect against XSS vulnerabilities
- Encapsulate all dangerous data returning methods with a validation function
- Do not stop the JVM in a web component
- Avoid using insecure algorithms for cryptography
- Use 'post' instead of 'get' for credential transfers
Templates for Secure Application Development*
- CWE-SANS Top 25
- Cigital
- HIPAA Security Assessment
- NIST SAMATE
- OWASP Top 10
- PCI DSS
- Security Assessment
- Secure Coding Best Practices
- Sun Secure Coding Guidelines
Supported Languages for Secure Application Development
Parasoft's static analysis is supported across:
Secure Application Development Beyond Static Analysis
Secure application development involves more than static analysis. Truly secure application
development requires that testing involve a mixture of test and analysis methods applied
throughout the SDLC, and also that a broad set of software life cycle management and
vulnerability/risk management activities be integrated across the process to ensure the
delivery of secure and reliable software.
Parasoft addresses both of these expectations with its Application Security Solution, which
recently was awarded the Jolt award in the "Security" category. This integrated system extends
Parasoft's static analysis capabilities—providing a pre-configured system with processes
and best practices that help organizations produce secure applications consistently and efficiently.
The complete solution integrates project & task management with a broad spectrum of secure application
development practices—including penetration testing, authentication/encryption/access control validation,
code review, runtime analysis, and more. It drives security tasks to a predictable outcome according to defined
industry standards or management's expectations. This gives organizations the comprehensive process visibility &
control needed to effectively satisfy security requirements.
* These are samples—not a comprehensive list. To see if a specific need is supported, contact Parasoft.
