DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline. Our SAST solution provides an excellent way to automate code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.
Find out why large enterprises are replacing their current SAST solutions with DefenseCode ThunderScan® SAST.
With DefenseCode ThunderScan® SAST it is possible to scan millions of source code lines across 29 different programming languages and various programming frameworks within hours or even minutes. Scalability combined with repeatability of automation provides an easy and painless way to introduce security into your DevOps for organizations ranging from small development teams up to the largest enterprises.
ThunderScan® includes a Dependency Check component (Software Composition Analysis – SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.
Application source code security analysis has proven consistently to be the most comprehensive way to ensure that your application is free of security vulnerabilities (SQL Injections, Cross Site Scripting, Path/Directory Traversal, Code Injection, and many more.).
With ThunderScan® SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10, HIPPA, HITRUST or NIST.
ThunderScan® SAST easy to use and very powerful REST API allows you to customize source code scanning and scale across large number of scanning agents.
DefenseCode ThunderScan® has repeatedly recognized its effectiveness by discovering critical vulnerabilities in well known open source applications.
ThunderScan® performs fast and accurate analysis of large and complex source code projects delivering precise results and low false positive rate.
ThunderScan® scans for more than 70 different vulnerability types (including OWASP Top 10, SANS 25 and CWE) in desktop, web and mobile applications developed on various platforms using different development environments and frameworks. ThunderScan® includes a Dependency Check component (Software Composition Analysis - SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.
All static application security testing (SAST) tools in the market are as useful as it supports your current use programming language or your future languages in consideration. Below is the extensive of the supported languages (more will come, please revisit the page from time to time).
DefenseCode ThunderScan is automate security vulnerability testing. ThunderScan is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline.
SAST solution provides an excellent way to automate code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and accurate analysis of large and complex source code projects delivering precise results and low false positive rate.
Scalability combined with repeatability of automation provides an easy and painless way to introduce security into your DevOps for organizations ranging from small development teams up to the largest enterprises.
With DefenseCode ThunderScan SAST it is possible to scan millions of source code lines across 27 different programming languages and various programming frameworks within hours or even minutes.
With ThunderScan SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10 or NIST. ThunderScan SAST easy to use and very powerful REST API allows you to customize source code scanning and scale across large number of scanning agents. DefenseCode ThunderScan has repeatedly recognized its effectiveness by discovering critical vulnerabilities in well known open source applications.
Hardware & Software Requirements
Hardware requirements:
• Processor (CPU): Intel Core i7 or equivalent (4 cores/8 threads in VM terms)
• Memory: 8GB RAM
• Storage: 2GB free
Software/OS requirements:
• Microsoft Windows 10/Server 2012* and higher or modern Linux distributions
[*] Windows Server 2012 requires an Update for Universal C Runtime in Windows for the MongoDB database to run.
Supported browsers:
• Google Chrome / Chromium (Opera et al.)
• Mozilla Firefox
• Microsoft Edge
• Safari
Supported Integrations and IDE:
• TFS / VSTS (Azure DevOps) - 2013, 2015, 2017, 2018, 2019, latest preferred
• Atlassian Jira Server – 5.0 to latest (8.x.x), latest preferred
• Visual Studio – 2013 to latest, latest preferred
• Visual Studio Code, latest preferred
• Eclipse, latest preferred
• IntelliJ, latest preferred
E-SPIN will compile the latest release and arrange in the easy to read manner for technical users to know what changes for each build in this page.
## Fixed
[01/03/2021] Amazon DocumentDB support issues (failing operations due to retryWrite)
[02/03/2021] TypeScript analysis improvements
# DefenseCode ThunderScan version 3.0.9 CHANGELOG
## Added
[14/02/2021] Xamarin C# (Android & iOS) analysis support
[14/02/2021] Features enabling scan parent and visibility changes
[14/02/2021] Vulnerability suppression comments
[14/02/2021] Email support for notification purposes (Email Triggers)
[15/02/2021] Scan templates feature
[19/02/2021] Summary HTML/PDF reports
[19/02/2021] Vulnerability type coverage added to reports
## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Password length requirements on user creation
[10/02/2021] Vulnerability counts issue with false positives
[12/02/2021] ThunderScan Agent race conditions
[15/02/2021] UI User editing groups removal issue
## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
[18/02/2021] Python "Bottle" framework support and analysis improvements
[19/02/2021] Java engine analysis improvements
## Added
[14/02/2021] Xamarin C# (Android & iOS) analysis support
[14/02/2021] Features enabling scan parent and visibility changes
[14/02/2021] Vulnerability suppression comments
[14/02/2021] Email support for notification purposes (Email Triggers)
[15/02/2021] Scan templates feature
[19/02/2021] Summary HTML/PDF reports
[19/02/2021] Vulnerability type coverage added to reports
[19/02/2021] JSON exports for scan configuration parameters and scan audit trail
## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Vulnerability counts issue with false positives
[12/02/2021] ThunderScan Agent race conditions
[15/02/2021] UI User editing groups removal issue
## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
[18/02/2021] Python "Bottle" framework support and analysis improvements
[19/02/2021] Java engine analysis improvements
## Fixed
[13/01/2021] TypeScript source code highlighting on Git target sources
[13/01/2021] SARIF export issues due to Custom Patterns vulnerability type
[13/01/2021] VB.Net SAST engine stalling issues
[14/01/2021] PCI DSS HTML report header titles
[14/01/2021] False positive and duplicate signature issues
[14/01/2021] Azure DevOps Issue Tracking credentials saving issue
[14/01/2021] Git SSH clone issues on very large repositories
[21/01/2021] Issues with LDAP users API tokens
[21/01/2021] Web UI LDAP Role Mapping editing role visibility issue
[21/01/2021] False positive vulnerability type marking UI issues
## Changed
[12/01/2021] C# SAST engine improvements
[14/01/2021] Dockerfile changes (jessie-slim to stretch-slim)
## Fixed
[10/11/2020] - Ruby incorrect sorting of Miscellaneous Dangerous Functions
[11/11/2020] - Web UI issues with multi-language scan configuration
[17/11/2020] - Default directory permissions on application UUID directories
[18/11/2020] - Java AES-related false positive crypto issues
[18/11/2020] - Trimming of trailing spaces in target source URLs
## Changed
[18/11/2020] - Exported report filenames now contain the name of the scan instead of ID
[18/11/2020] - Java engine improvements
[17/11/2020] - ALM Issues scan name visibility and recommended mitigation
[15/12/2020] - C/C++ engine improvements
[16/12/2020] - PHP engine analysis speed improvements
[16/12/2020] - Ruby engine improvements
[18/12/2020] - False Positive Signature improvements (disregarding lines, using snippets)
## Added
[15/11/2020] - CAPEC reports
[15/11/2020] - Scan creator username visibility on dashboard
[15/11/2020] - Scan JSON configuration review on created scans (Config tab)
[20/11/2020] - Scan action history review (Activity tab)
[30/11/2020] - Excluded vulnerability types visibility in exported HTML/PDF reports
[01/12/2020] - Jira issues additional information in the submitted content
## Fixed
[12/10/2020] - Scans that break when reaching the maximum BSON document size in MongoDB of 16 megabytes
due to thousands of vulnerability results.
[16/10/2020] - PHP SAST engine issues
## Changed
[12/10/2020] - Default Swift and iOS Objective-C engine rules adjustment to lower the false positive rate
related to property lists (e.g Insufficient Transport Layer Protection for "http://www.apple.com" in standard
.plist DOCTYPE declarations)
[16/10/2020] - Java, JavaScript/Node.js, Ruby, Kotlin SAST engine improvements
[20/10/2020] - Updated node and typescript modules
## Added
[16/10/2020] - Atlassian Jira assignment and issue status
[16/10/2020] - Web User Interface administrative log management
[12/10/2020] - Automatic copy of engine debug logs on failure to ThunderScan log directory
Oct 2, 2020
## Added
- Support for Kotlin language security scanning
- Regex (PCRE) based path/file exclusions
## Fixed
- API bug fixes related to uploads
## Changed
- Improvements to incremental scanning feature
## Thanks
Viktor Schneider of SEC Consult for his contribution in improving the ThunderScan solution.
E-SPIN has actively promoted DefenseCode full range of products and technologies since 2018 as part of the company Vulnerability Management (VM) and Application Security Testing (AST) solution portfolio. E-SPIN is active in providing consulting, supply, training and maintaining DefenseCode products for the enterprise, government and military customers (or distribute and resell as part of the complete solution package) in the region E-SPIN does business. The enterprise range from university, corporate, government agencies to IT security professionals / analysts on the web application security or cyber security / cyber warfare /military defense applications or secure development or DevSecOps, CI/CD systems with static application security testing (SAST) and dynamic application security testing (DAST).
Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs.