Security At The Source
 
 
Strengthening web applications, reducing security related risk

Contact details
Tel.: + 64 9 309 3902
Fax.:+ 64 9 309 7651
sales@codescan.com
Home About Us Product Info Support News
Overview FAQ Library Links Contact Us
  FREQUENTLY ASKED QUESTIONS
 

Quick answers to common contractual, implementation and usability questions.


1. What does CodeScan do?
CodeScan analyzes web application source code looking for vulnerable code syntax. Most web application vulnerabilities are based on a range of known conditions, often related to the insecure use of user input. CodeScan identifies common web application security issues at a source code level, including cross-site scripting, SQL injection and many other problems.

2. Can I trial CodeScan?
Trial versions of CodeScan products are available. Please visit www.codescan.com or contact sales@codescan.com for more information.

3. What is the difference between the trial and fully licensed versions of CodeScan?
The trial version of CodeScan is designed for product evaluation purposes only and can be used for up to 30 days from initial use.

4. What happens once my trial has expired?
Once the 30-day trial has expired, you will no longer be able to open the CodeScan application. To continue using CodeScan, please visit www.codescan.com or contact sales@codescan.com to purchase a fully licensed version .

5. How is CodeScan licensed?
CodeScan is licensed on an annual subscription basis. Technical support and software maintenance are included as part of the subscription contract.

6. How can I purchase CodeScan?
For all CodeScan product purchases, visit www.codescan.com or contact sales@codescan.com for purchase information.

7. What languages does CodeScan Support?
CodeScan ASP currently supports ASP with VBSbscript. CodeScan PHP supports PHP 3, 4 and 5. ASP.Net and C#.Net are due for release in 2009.

8. What languages are planned for the future?
Support for ASP JScript, JSP and Java, , Cold Fusion, C and C++ are being investigated.

9. Is CodeScan similar to web application scanners, such as webinspect, @take, ebroxy, avado etc?
No. Most web application scanning tools assess the security of web applications through sending malformed input and checking the results; therefore they are prone to missing some vulnerable instances. CodeScan works at the source code level, giving it the ability to analyze every line of source. This ensures that CodeScan can detect complicated vulnerability scenarios that may rely on input settings that other assessment tools cannot detect.

- TOP -

10. Is CodeScan more accurate than web application scanners?
Yes. While web application scanners utilize a blacklist of known vulnerabilities, CodeScan checks source code against a white list of known secure coding techniques. Most web application scanners work through sending data from a known bad list of user input to cause detectable errors such as cross-site scripting and SQL injection errors. CodeScan traces all execution paths, detecting the use of user input and verifying the input has been subject to secure filtering routines.

11. I already use a web application scanner, why should I use CodeScan?
CodeScan is designed to be used at early phases of the development lifecycle enabling security to be designed into the code, as well as being used in both test and production environments. Testing ‘security at the source’ enables reductions in application development costs, is more accurate in testing for security weaknesses, and complements traditional operational testing such as network or application intrusion testing and scanning.

12. What doesn’t CodeScan do?
CodeScan does not detect server or network vulnerabilities. It is only interested in the web application source code, not the platform or server that the application will run on. Due to the integrated nature of security between the application and the server configuration however, CodeScan will provide information as to how to appropriately secure the server environment to suit the application source code functionality.

13. Who should use CodeScan?
CodeScan has been developed for multiple purposes. Firstly, when used by developers during the application development lifecycle it helps with the development of more secure web applications. Secondly, CodeScan is designed for use by consultants and auditors in auditing existing code for security weaknesses.

14. Can CodeScan assure security of my web applications?
To an extent, CodeScan can accurately identify security weaknesses, fix holes and provide remediation advice. Ultimately, CodeScan should be wrapped around an integrated secure development framework, which incorporates:

  • Identification of security requirements from initial project conception.
  • Increased developer awareness and skill in secure coding.
  • Increased awareness of project managers and business analysts of designing, managing and verifying security requirements.
  • Implementation of an iterative testing, review and verification regime.

15. Does CodeScan detect every vulnerability?
CodeScan works from a set of rules that we are constantly expanding, but can only detect vulnerabilities for the rules that are installed on your system.

16. How often will updates be made available?
Our researchers at CodeScan Labs are working to provide signature updates as frequently as possible based on new vulnerability discoveries and rules. New versions of the CodeScan engine will be released as new functionality and features become available.

- TOP -

17. Does CodeScan have an automatic update process, or contact CodeScan Labs in any way?
There is no overt or covert functionality in current versions to talk back to CodeScan Labs. Future versions will have an update feature built in to enable seamless updates of rule sets and maintenance updates. However, there will be no unprompted communication from the CodeScan application back to CodeScan Labs. CodeScan contains no adware or spyware.

18. Can I add custom rules to CodeScan?
No, the CodeScan rule creation interface is not available to the end user, but if you feel that you may require a specific rule please contact us at support@codescan.com to discuss this further.

19. What happens if I find a vulnerability in my code that CodeScan has missed?
Due to the numerous different styles and formats that source code can be written in, it is possible that CodeScan may not detect a vulnerability that it should. While we strive to ensure the accuracy of vulnerability detection, any false negatives should be reported to support@codescan.com, so we can increase the accuracy of our product. We value customer input and feedback for our products.

20. Is there a maximum source code size that CodeScan can handle?
Theoretically, there is no upper limit to the size of the application source code that can be handled by CodeScan. However, testing to date has been limited to upper sizes of 500 page web applications, or approximately 100,000 lines of code. Performance is generally only limited by the performance of the workstation running the CodeScan application.

21. What are the minimum machine specifications to run CodeScan Developer?
CodeScan requires Windows 2000, XP or above. The basic installation requires approximately 20 MB of disk space and additional space to store vulnerability information. Recommended hardware requirements are for a minimum 1.8GHz CPU, 2Gbytes RAM, 500Mbytes Disk Space. CodeScan will run within most Virtual Machine environments, however please contact support@codescan.com if you encounter any issues.

22. Does CodeScan Labs have any access to results of scans performed by CodeScan against my source code?
No. All results are held locally by the customer. No information around results or scanned source code is passed to CodeScan Labs in any way, shape or form.

- TOP -

MORE INFORMATION
 About Us

  About CodeScan

 News





 
Next Steps

Every organisations needs and uses for CodeScan vary. Contact Us to discuss opportunities, benefits and implementation of CodeScan.
 
CodeScan Labs © 2008 | Privacy Policy | Terms Of Use | Site Map