A couple of years ago I was investigating a security topic when I ran across some research by a company called Secure Decisions that I found quite interesting and relevant. I reached out to the principal investigator – Dr. Anita D’Amico – the subject of this interview, who responded positively and collegially. Fast forwarding from this event to the present, we met again in person at a recent DHS S&T conference where Dr. D’Amico was participating in a panel. After a short discussion at the conference, I realized that Dr. D’Amico’s new venture in leading Code DX’ application security testing offerings is an important capability for any enterprise experiencing issues in their devsecops workflow. Where many security tools fill a niche problem but pile on additional overhead to the overall security burden, Code DX seems to reduce that burden by simplifying the analytics and automating the workflow, thereby really positively compounding the return on investment of the entire tool stack. So read the interview below with Dr. D’Amico to learn more about how Code DX works and the other compelling features of this offering. You can also click on the ad to the right to be transported to Code DX site for more information.
Spotlight on Dr. Anita D’Amico
» Title: Dr. Anita D’Amico, Chief Executive Officer, Code DX
» Website: https://codedx.com/
» LinkedIn: linkedin.com/in/anita-d-amico-1a1b515
Read her bio below.
Chris Daly, Active Cyber™: When did the concept for Code Dx get initiated and what triggered its development? What or who else inspired you along the way in terms of key capabilities and features for Code Dx?
Dr. Anita D’Amico, Chief Executive Officer, Code DX: Code Dx, Inc. began as an initiative by the Department of Homeland Security (DHS), who was (and is) very interested in securing the nation’s software supply chain. They recognized that most data breaches start with an attacker exploiting a software vulnerability and set out to find ways to prevent these malicious attacks. They looked into tools that were available around 2010-2012 and found that most application security testing (AST) tools did not find most of the vulnerabilities, and still don’t today. In fact, each tool found less than 20 percent of the vulnerabilities and a different 20 percent at that. DHS concluded that multiple tools and tests must be run in order to identify most of the vulnerabilities in software. They also realized that there was no way to correlate the results from all of these tools and tests.
To address this issue, DHS funded research to develop a solution that would correlate the results of many different AST tools. The team that performed the $99,000, six-month project, are the people at Code Dx today. Now, many years later with the help of DHS and others, this solution has matured into the Code Dx Enterprise Application Risk Management System.
In addition to DHS driving the initiative that led to the development of Code Dx Enterprise, along the way, we gained valuable insight from our early industry adopters who helped us to determine the essential capabilities for application security management. Every customer of Code Dx is a source of knowledge for us. We are able to learn about the capabilities that best serve their needs the most and we learn about the technical gaps that need to be filled – and we fill them. For example, we learned that mapping software onto regulatory compliance standards was extremely important for many organizations. Therefore, we built in the ability for Code Dx Enterprise to map vulnerabilities to regulatory compliance requirements, such as HIPAA, the DISA-STIG, PCI DSS, and others.
We also learned from our early adopters that it is really important to build metrics into an application security management system. Users want to be able to compare the security of different software projects throughout their organization, know whether there are certain parts of the organization that have more or less secure software, and how frequently AST was being done within their organization. All of these needs led to new capabilities in Code Dx Enterprise.
Active Cyber™: What role does Code Dx play in the appsec testing workflow for agile development? What are some of the key pain points in the devops testing process that can addressed by using Code Dx? What are some other benefits of applying Code Dx to the devops testing process?
Dr. D’Amico: Adding security testing to a fast paced Agile and DevOps workflow isn’t easy, especially when using a diverse set of testing activities, such as Static AST, Dynamic AST, Software Composition Analysis, and manual reviews. Having all an organization’s testing funneled through Code Dx Enterprise helps manage what would otherwise be a chaotic process. The worst thing for a development team is to get a long list of vulnerabilities in their software when they are ready to launch. Code Dx Enterprise allows users to fix vulnerabilities as the code is being written, right there in the development environment. It does this by integrating with Continuous Integration systems like Jenkins and TeamCity, as well as by automatically creating Jira tickets when new security issues are discovered. An important tenet in DevOps is automation, and with Code Dx Enterprise, users can automate all of their security testing – from running tools to automatically creating Jira tickets based on user-defined criteria.
Active Cyber™: What is “hybrid analysis” and why is it important for detecting and managing application vulnerabilities? What is the scope of the types of analysis tools that is covered by Code Dx? Does Code Dx also manage API testing tools and results?
Dr. D’Amico: In short, our hybrid analysis capability combines SAST and DAST, allowing the user to focus on the vulnerabilities proven to be exploitable without doing extensive manual reviews. For example, a static analysis of the source code might say there’s a potential vulnerability on line 25 of file Foo.java. Then, a DAST scan is conducted that says there’s a vulnerability at a given URL. Code Dx Enterprise matches those results in what we call hybrid analysis taking the guesswork out of confirming vulnerabilities and dramatically reducing false positives so that users can fix the confirmed vulnerabilities first. The scope of the analysis is any SAST and DAST tool supported by Code Dx Enterprise, and many of them also cover API testing.
Active Cyber™: What are some of the tools and frameworks that Code Dx comes bundled with and/or integrates with to help automate and speed the flow of the CI/CD testing process? What type of API is used for integration?
Dr. D’Amico: We understand that developers and security experts already have tools that they know and like and in which they have made significant financial and time investments. Therefore, we have chosen to work with those tools that our customers trust. Our list of bundled and supported tools includes more than 70 SAST, DAST and other types of tools; and we continue to grow this list.
Active Cyber™: What compliance standards does Code Dx support? How does the tool enable compliance?
Dr. D’Amico: Mapping vulnerabilities to compliance standards enables an organization to be more focused, providing a starting point for what should be remediated first. If there are 10,000 findings, for example, and 400 are related to PCI-DSS standard which the organization is required to adhere to, they probably want to tackle those first. Code Dx Enterprise checks the codebase against various regulations and standards, such as HIPAA, DISA-STIG, PCI DSS, MISRA among others. Any lines of code that violate those regulations are flagged, and the exact nature of the violation is shown, along with ways to make it compliant. Instead of reading through hundreds of pages of regulations, Code Dx Enterprise enables users to focus on making their application as good (and secure) as it can be.
Active Cyber™: How does Code Dx improve team communication and coordination during testing and remediation? What impact does it have on the security behavior of developers?
Dr. D’Amico: There’s often a communication barrier between security, dev, and ops. Code Dx Enterprise acts as a bridge between these parties by bringing all the data into a single place and allowing disparate teams to collaborate in the systems they are accustomed to. For example, the security team may assign a vulnerability for remediation to the development team within Code Dx Enterprise, which creates a Jira ticket, so the developer treats that just like other features and bug fixes in their development process. Developers can work solely in Jira and Code Dx Enterprise will automatically get updated for the security team to review.
Active Cyber™: What types of visualizations of the testing process does Code Dx provide? What are some of the key metrics that are tracked?
Dr. D’Amico: Code Dx Enterprise offers a comprehensive dashboard as a result of an intense research process where we partnered with cybersecurity visualization experts to study real-life application professionals to determine which metrics are most valuable to them and the most effective way to display them. This dashboard is a central hub for the application security team to help guide them through the entire application security testing process, presenting all the information from multiple testing tools in one place and in a way that makes sense to them. Example metrics include: Risk Score, Open Findings, Finding Count Trend, Average Days to Resolution, Code Metrics, and Analysis Frequency. The dashboard uniquely shows users metrics and information about all of their testing activities, not just reports for single tools. They can explore this data interactively to determine which tools are working well for their AppSec program, and identify security and vulnerability trends. The innovative dashboard also helps to improve communication and transparency; as well as improve coordination of ongoing remediation efforts.
Active Cyber™: What types of implementation and training services are available with Code Dx?
Dr. D’Amico: Code Dx Enterprise is very easy to install and start using. Even though a customer can do it on their own, for big deployments we send our sales engineer to work with the customer for a day to ensure everything is up and running smoothly. This white glove service is a complementary offering for our new customers.
Active Cyber™: What is next on the roadmap for Code Dx? When will infrastructure security testing be incorporated? What integrated or bundled tools and capabilities will this include?
Dr. D’Amico: Recently, we released Code Dx Enterprise version 4.0, which includes network infrastructure support enabling the correlation of results from Nessus, NMap, and more. This capability turns Code Dx Enterprise from an AppSec Vulnerability Management console into an all-in-one cybersecurity risk management system, from which users can manage all of their vulnerabilities and weaknesses in one central location. We continue to expand our offering by adding additional security testing tool support and orchestration, as well as other integration points such as CI plugins and issue trackers. Qualys and Rapid7 support will be available soon.
Active Cyber™: What outreach programs to schools and to the industry, as well as other ecosystem ventures, have you started to improve application security and secure coding practices? What kinds of successes have you seen so far from these programs?
Dr. D’Amico: While Code Dx Enterprise is a commercial product, we firmly believe in the value of open-source software. Code Dx currently maintains two open-source OWASP projects: Code Pulse and Attack Surface Detector. Both of these are used to support application penetration testing. We are delighted to be an active member of OWASP and support these projects. We are also interested in supporting the teaching of application security to future programmers and have made Code Dx Enterprise available to educational institutions for incorporation in their curriculum. Not only is this valuable to the students, we have also found that the students are a good source of feedback for our product development team at Code Dx because they represent novice users and can provide valuable feedback on our product’s usability.
Thank you Dr. D’Amico for this overview of Code Dx’ impressive application security workflow capabilities. Adding the correlation of results from infrastructure scanning tools will make Code DX a truly compelling capability for SOCs as they become more integrated with devops and try to do more with less. I look forward to hearing more about Code DX’ continued success in the market and especially about announcements regarding new products and features as well. And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.
About Dr. Anita D’Amico
Dr. Anita D’Amico took on the role of CEO of Code Dx, Inc. after it was spun-out from Applied Visions, Inc. (AVI). She refers to herself as “a starter-upper” who develops a vision and fuels it with the energy, communication, and leadership needed to make that vision a reality. She has done that repeatedly throughout her 35+ years in advanced technology. Anita created the Secure Decisions division of Applied Visions, Inc. in 2000, to develop new technologies to enhance cyber situational awareness, and built it into a recognized leader in government-sponsored cybersecurity research. The technologies that now comprise Code Dx Enterprise, as well as our open-source Code Pulse aid to application penetration testing were originally developed by Secure Decisions under Anita’s leadership.
Although Anita has worked for more than 20 years in the cybersecurity domain—starting as the head of Northrop Grumman’s first Information Warfare team—her background is different from most. She is a human factors psychologist, a specialist in cybersecurity situational awareness, and a security researcher. Anita is an expert in how security decisions are made, and takes on the user’s rather than the engineer’s perspective. At Code Dx, Inc. Anita bridges gaps. She looks for application security barriers and works with the Code Dx team to develop solutions to overcome them. Those barriers could be lack of awareness, cost, difficulty in using AppSec tools and processes, or interpreting the results. To address the awareness gap, Anita has implemented a program that offers Code Dx for free to qualified educational institutions teaching secure coding practices.
She is also bridging gaps between potential customers and access to Code Dx by building a robust reseller program that makes it easier for people in various parts of the world to take advantage of Code Dx’s easy and affordable application vulnerability correlation and management system, and to get support and services from local suppliers. A recent Forbes article named Anita D’Amico as one of “five cool women in security” who serve as role models for young women entering the field.