NO SECURITY EXPERIENCE NEEDED
Learn from SATriage
SATriage is the first automated triage tool created by developers for developers. Rich, comprehensive, yet easy to follow reporting provides all of the information necessary to become a security expert even without previous experience. Reports were created specifically to educate developers offering a full understanding of the attacks, consequences, risks, and priorities of each defect.
Sample SATriage Defect Report
CWEs: 625, 185
Defect name: Permissive Regular Expression, Incorrect Regular Expression
Location: my_project_directory/my_code.java: 244
Priority: Minor 1
Priority Assessment: Context ↓ Severity ↑↑ Ease of Exploit ↓↓↓ Confidence ↑
This defect’s greatest risk factor for your application is:
Denial of Service
which is very important for your application.
The risk is offset by the low likelihood of the consequence.
The defect most likely results in:
The risk is also offset by the difficulty of exploitation.
The following attributes are greatly increasing the importance of the defect:
Severity of Consequence
The following attributes are significantly increasing the importance of the defect:
Likelihood of False Positive
The following attributes are significantly decreasing the importance of the defect:
The following attributes are tremendously decreasing the importance of the defect:
Ease of Exploitation
SAST1 found 39 duplicate defects at this location, all with the same type. Line 224 of file my_project_directory/my_code.java is the location where the defect becomes an issue. Each duplicate entry describes different places in the code base where the data is set that causes the defect at line 224 of my_project_directory/my_code.java. In other words, these are the different paths in the code that can lead to the defect.
This defect aligns best with CWEs 625, 185
SAST1 suggests that this defect aligns with CWEs 85, 73
SAST2 suggests that this defect aligns with CWEs 624
SAST3 suggests that this defect aligns with CWE 625
SAST 1 Assessment
SAST1 elevates the importance of this defect, by not considering the above factors which decreases the defect’s importance.
Time Saver: SAST2 over inflates the importance of this defect.
SAST3 only found this defect under a high false positive setting, even though the defect’s expect false positive rate is low.
SAST3 diminishes the importance of this defect, by not considering the above factors which increases the defect’s importance.
This defect is not architectural.
Detailed Defect Description
For more information on the CAPEC attack vectors associated with this defect, visit
Prior to SATriage, security testing was often placed outside of the daily DevOps environment, since extended manual triage efforts could not keep up with a daily process. SATriage’s speed (seconds) and accuracy immediately changes things - placing security firmly within the DevOps process, without impacting DevOps rapid response requirements.