NO SECURITY EXPERIENCE NEEDED
Learn from SATriage
SATriage is the first automated triage tool created by developers for developers. Rich, comprehensive, yet easy to follow reporting provides all of the information necessary to become a security expert even without previous experience. Reports were created specifically to educate developers offering a full understanding of the attacks, consequences, risks, and priorities of each defect.
Sample SATriage Defect Report
Defect Description
CWEs: 625, 185
Defect name: Permissive Regular Expression, Incorrect Regular Expression
Location: my_project_directory/my_code.java: 244
Priority: Minor 1
Priority Assessment: Context ↓ Severity ↑↑ Ease of Exploit ↓↓↓ Confidence ↑
Risk Assessment
This defect’s greatest risk factor for your application is:
Denial of Service
which is very important for your application.
The risk is offset by the low likelihood of the consequence.
The defect most likely results in:
Incorrect Answers
The risk is also offset by the difficulty of exploitation.
Priority Assessment
The following attributes are greatly increasing the importance of the defect:
Severity of Consequence
The following attributes are significantly increasing the importance of the defect:
Likelihood of False Positive
The following attributes are significantly decreasing the importance of the defect:
Contextual Importance
The following attributes are tremendously decreasing the importance of the defect:
Ease of Exploitation
Duplicates
SAST1 found 39 duplicate defects at this location, all with the same type. Line 224 of file my_project_directory/my_code.java is the location where the defect becomes an issue. Each duplicate entry describes different places in the code base where the data is set that causes the defect at line 224 of my_project_directory/my_code.java. In other words, these are the different paths in the code that can lead to the defect.
Description Alignment
This defect aligns best with CWEs 625, 185
SAST1 suggests that this defect aligns with CWEs 85, 73
SAST2 suggests that this defect aligns with CWEs 624
SAST3 suggests that this defect aligns with CWE 625
SAST 1 Assessment
SAST1 elevates the importance of this defect, by not considering the above factors which decreases the defect’s importance.
SAST2 Assessment
Time Saver: SAST2 over inflates the importance of this defect.
SAST3 Assessment
SAST3 only found this defect under a high false positive setting, even though the defect’s expect false positive rate is low.
SAST3 diminishes the importance of this defect, by not considering the above factors which increases the defect’s importance.
Architectural Assessment
This defect is not architectural.
Detailed Defect Description
For more information on the CWE defect description, visit
http://cwe.mitre.org/data/definitions/625.html
http://cwe.mitre.org/data/definitions/185.html
Examples
For more information on the CVE examples of this defect, visit
http://cvedetails.com/cwe_details/625/cwe.html
http://cvedetails.com/cwe_details/185/cwe.html
Attack Assessment
For more information on the CAPEC attack vectors associated with this defect, visit
http://capec.mitre.org/data/definitions/6.html
http://capec.mitre.org/data/definitions/15.html
http://capec.mitre.org/data/definitions/79.html
Prior to SATriage, security testing was often placed outside of the daily DevOps environment, since extended manual triage efforts could not keep up with a daily process. SATriage’s speed (seconds) and accuracy immediately changes things - placing security firmly within the DevOps process, without impacting DevOps rapid response requirements.