The Top Eleven CodeScan Frequently Asked Questions

  1. What does CodeScan do?

    CodeScan analyzes web application source code looking for vulnerable code syntax. Most web application vulnerabilities are based on a range of known conditions, often related to the insecure use of user input. CodeScan identifies common web application security issues at a source code level, including cross-site scripting, SQL injection and many other problems.

  2. Can I trial CodeScan before I buy?

    Absolutely! Simply follow the registration process through the Get CodeScan link.

  3. What languages does CodeScan Support?

    CodeScan currently supports ASP with VBScript, ASP.NET C# as well as PHP 3, 4 and 5.

  4. I’m having trouble activating my copy of CodeScan Developer – what can I do?

    The primary cause of a failure to activate is due to internet connectivity issues. Either click on or paste the following into your browser https://ws2.codescan.com:5724. You should see “OK” appearing in your browser.
    If you do not see “OK”, please check your internet connection, firewall settings, or proxy, to enable outbound connections to the above URL and port 5724. If you are still experiencing problems, contact support@codescan.com.

  5. I’m having trouble activating my copy of CodeScan Visual Studio – what can I do?

    The primary cause of a failure to activate is due to internet connectivity issues. Either click on or paste the following into your browser https://ws1.codescan.com. You should see “OK” appearing in your browser.
    If you do not see “OK”, please check your internet connection, firewall settings, or proxy, to enable outbound connections to the above URL. If you are still experiencing problems, contact support@codescan.com.

  6. Is CodeScan similar to web application scanners, such as Qualys, Acunetix, WebInspect etc?

    No. Most web application scanning tools assess the security of web applications through sending malformed input and checking the results; therefore they are prone to missing some vulnerable instances. CodeScan works at the source code level, giving it the ability to analyze every line of source. This ensures that CodeScan can detect complicated vulnerability scenarios that may rely on input settings that other assessment tools cannot detect.

  7. Is CodeScan more accurate than web application scanners?

    Yes. While web application scanners utilize a blacklist of known vulnerabilities, CodeScan checks source code against a white list of known secure coding techniques. Most web application scanners work through sending data from a known bad list of user input to cause detectable errors such as cross-site scripting and SQL injection errors. CodeScan traces all execution paths, detecting the use of user input and verifying the input has been subject to secure filtering routines.

  8. I already use a web application scanner, why should I use CodeScan?

    CodeScan is designed to be used at early phases of the development lifecycle enabling security to be designed into the code, as well as being used in both test and production environments. Testing ’security at the source’ enables reductions in application development costs, is more accurate in testing for security weaknesses, and complements traditional operational testing such as network or application intrusion testing and scanning.

  9. Who should use CodeScan?

    CodeScan has been developed for multiple purposes. Firstly, when used by developers during the application development lifecycle it helps with the development of more secure web applications. Secondly, CodeScan is designed for use by consultants and auditors in auditing existing code for security weaknesses.

  10. Can CodeScan assure security of my web applications?

    To an extent, CodeScan can accurately identify security weaknesses, fix holes and provide remediation advice. Ultimately, CodeScan should be wrapped around an integrated secure development framework, which incorporates:

    • Identification of security requirements from initial project conception.
    • Increased developer awareness and skill in secure coding.
    • Increased awareness of project managers and business analysts of designing, managing and verifying security requirements.
    • Implementation of an iterative testing, review and verification regime.