The Business Challenge
A fast, repeatable process for prioritizing weaknesses.
Everyone knows that software security is important, but most don’t realize how difficult it is to test code for weaknesses. There are lots of good tools that automate software testing, but using them isn’t easy. The most significant problem with AppSec isn’t securing the code; it’s managing the tools that find the weaknesses and prioritizing the results from all of those tools in a way that’s fast and repeatable at scale.
The Goal
Identifying weaknesses in code, autonomously.
Code Dx wanted to produce a software platform to automate the AppSec process—accurately, quickly, and at scale. It had to interface with existing scanners to ingest test results, get rid of duplicate findings, prioritize the rest, and provide ways to assign engineers to fix the ones that are important.
- Identify weaknesses quickly and efficiently
- Scale the process of automation using several scanners
- Prioritize findings and auto-assign tasks
Wrangling Tools
Our research indicated that many of the AppSec scanning tools that exist do a good job at finding particular types of security issues. Some tools are better at finding certain types of weaknesses than others. To get the right coverage, several scanners are used on the same set of code.
Because that’s hard to do at scale, we built Code Dx to talk to the best AppSec tools available. Running them from one central console and pooling the results in one spot solves that problem. AppSec managers get to use the tools they already trust, but far more efficiently, in 75% less time.
False Positives
The biggest problem is that these scanners produce TONS of white noise—false positives. Scans might produce hundreds or thousands of findings, but only contain three or four genuine security flaws. That’s a lot to sort through, isn’t?
This was the most important thing to get right, so we built Code Dx with a variety of mechanisms to identify and reduce these false positives. It automatically weeds out lots of false positives, often reducing the number from thousands to a few hundred. It then uses machine learning to automatically prioritize the important ones, which cuts the list down further, often to just a few dozen. Over the course of a full development cycle, that saves hundreds of hours of labor, without sacrificing any of the best practices for secure development.
Compliance is Expensive
Businesses spend a lot of time and money making sure the software they develop and use complies with regulatory standards, because the price tag for noncompliance can be millions of dollars in fines. But manually reviewing code for compliance is expensive. To fix that, Code Dx automatically flags any flaws with the relevant regulation. That saves a lot of time (and potential prosecution)!
Secure Software for Everyone!
The Results
Code Dx’s commercial value was apparent from the get-go. Once it was ready, a huge variety of industries were interested in it—financial institutions, healthcare organizations, fashion companies, tech giants; the list goes on. Code Dx was spun out into its own business, and soon gained enough traction to attract investment from a venture capital firm, and finally, an acquisition.
In 2021, Code Dx, Inc. was acquired by one of the biggest names in the cybersecurity industry: Synopsys.