FORGOT YOUR DETAILS?

Application Security Testing (AST)

ThunderScan Static Application Security (SAST)

Solution Overview

To ensure that your applications are free from critical vulnerabilities is to perform a comprehensive audit of application source code using ThunderScan.

ThunderScan Static Application Security (SAST)

DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline. Our SAST solution provides an excellent way to automate code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.

Find out why large enterprises are replacing their current SAST solutions with DefenseCode ThunderScan® SAST.

With DefenseCode ThunderScan® SAST it is possible to scan millions of source code lines across 29 different programming languages and various programming frameworks within hours or even minutes. Scalability combined with repeatability of automation provides an easy and painless way to introduce security into your DevOps for organizations ranging from small development teams up to the largest enterprises.

ThunderScan® includes a Dependency Check component (Software Composition Analysis – SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.

Application source code security analysis has proven consistently to be the  most comprehensive way to ensure that your application is free of security vulnerabilities (SQL Injections, Cross Site Scripting, Path/Directory Traversal, Code Injection, and many more.).

With ThunderScan® SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10, HIPPA, HITRUST or NIST.

ThunderScan® SAST easy to use and very powerful REST API  allows you to customize source code scanning and scale across large number of scanning agents.

DefenseCode ThunderScan® has repeatedly recognized its effectiveness by discovering critical vulnerabilities in well known open source applications.

ThunderScan® performs fast and accurate analysis of large and complex source code projects delivering precise results and low false positive rate.

tenable.sc

Vulnerabilities coverage

ThunderScan® scans for more than 70 different vulnerability types (including OWASP Top 10, SANS 25 and CWE) in desktop, web and mobile applications developed on various platforms using different development environments and frameworks. ThunderScan® includes a Dependency Check component (Software Composition Analysis - SCA) that will detect publicly disclosed vulnerabilities contained within a project’s dependencies with associated CVE entries.

  • High

  • per
  • SQL Injection
  • Command Injection
  • Code Injection
  • XPath Injection
  • LDAP Injection
  • XML External Entity (XXE) Injection
  • Path/Directory Traversal
  • Deserialization of Untrusted Data
  • Server Pages Execution
  • Server Side Request Forgery
  • PHP File Inclusion
  • Buffer Overflow
  • Integer Overflow
  • Arbitrary Library Injection
  • Use After Free
  • Double Free
  • Time of Check Time of Use
  • Uncontrolled Format String
  • Out of Buffer Bounds Read
  • Out of Buffer Bounds Write
  • Insecure Data Storage
  • Insufficient Transport Layer Protection
  • Shared Preferences Usage
  • Man-in-the-Middle Attack
  • Medium

  • per
  • File Manipulation
  • Cross-Site Scripting
  • DOM Based Cross-Site Scripting
  • HTTP Header Injection
  • HTTP Response Splitting
  • Unvalidated/Open Redirect
  • Regex Denial of Service (ReDoS)
  • Sleep Denial Of Service
  • System Properties Change
  • Session Fixation
  • Session Poisoning
  • Integer Underflow
  • Uncontrolled Memory Allocation
  • Intents Usage
  • Arbitrary Code Injection
  • Application Configuration
  • Trust Boundary Violation
  • Location Information
  • Low

  • per
  • Hardcoded Password/Credentials
  • Secret Key In Source
  • Heap Inspection
  • Error Messages Information Exposure
  • Log Forging
  • Log Messages Information Leak
  • Console Output
  • Weak Encryption Strength
  • Weak Hash Strength
  • Weak Pseudo-Random
  • Arbitrary Server Connection
  • Mail Relay
  • File Upload
  • Cookie Injection
  • Cookie Without 'HttpOnly' Flag
  • Dangerous File Extensions
  • Dangerous HTML Embedded
  • Hidden HTML Input
  • FTP Command Injection
  • Mass Assignment
  • Memcache Injection Vulnerability
  • Sensitive Database Data Modification
  • Symlink Vulnerability
  • System Properties Disclosure
  • Trust Boundary Violation
  • Divide By Zero
  • Use of Inherently Dangerous Function
  • Use of Insecure Functions
  • Miscellaneous Dangerous Functions
  • WebView Implementation
  • External URL Access
  • External Data In SQL Queries
Cybersecurity Automation and Integration

DevSecOps / SDLC Integration

Thunderscan SAST is keep expanding for the modern DevSecOps/SDLC integration requirements rapidly, please revisit the section from time to time for the latest coverage.

Supported Languages

All static application security testing (SAST) tools in the market are as useful as it supports your current use programming language or your future languages in consideration. Below is the extensive of the supported languages (more will come, please revisit the page from time to time).

 

  • Languages

  • per
  • C#
  • JAVA
  • KOTLIN
  • PHP
  • PYTHON
  • RUBY
  • GO
  • JAVASCRIPT / NODE.JS
  • TYPESCRIPT
  • GROOVY
  • C/C++
  • VB.NET
  • VISUAL BASIC
  • VBSCRIPT
  • ASP CLASSIC
  • IOS OBJECTIVE C
  • SWIFT
  • ANDROID JAVA
  • COLDFUSION
  • PLSQL
  • COBOL
  • ABAP
  • SALESFORCE APEX
  • ASP.NET
  • JSP
  • HTML/HTML5
  • SQL
  • XML
  • XAMARIN
  • Frameworks

  • per
  • ASP.NET
  • ASP.NET MVC
  • TELERIK
  • HIBERNATE.NET
  • ENTITY FRAMEWORK
  • JSP
  • J2EE
  • SPRING
  • SPRING BOOT
  • STRUTS
  • JAX-RS
  • JAX-WS
  • JAVA FACES
  • JAX-RPC
  • JAVA BEANS
  • EJB
  • HIBERNATE
  • WEBSOCKETS
  • ZEND
  • KOHANA
  • CAKE PHP
  • SYMFONY
  • LARAVEL
  • YII
  • CODEIGNITER
  • PHALCON
  • FLASK
  • DJANGO
  • RUBY ON RAILS
  • REACT
  • ANGULAR
  • NODE.JS
  • JQUERY
  • EXPRESSJS
  • KNOCKOUT
  • KOA.JS
  • GRAILS
  • GORILLA
  • REVEL
  • GIN
  • ECHO
  • BEEGO
  • IBM DB2
  • BSP
  • BOTTLE
  • XAMARIN

Benefits

Key Benefits

  • Automate security vulnerability testing
  • Fast, accurate and actionable results
  • Seamless DevOps and CI/CD integration
  • Powerful REST API interface
  • Scalability and cross-platform support
  • Low false positive rate
  • Supports a wide range of programming languages
  • On-premise or SaaS options
  • Standard Compliance reports

DefenseCode ThunderScan is automate security vulnerability testing. ThunderScan is easy to use, requires almost no user input and can be deployed during or after development with easy integration into your DevOps environment and CI/CD pipeline.

SAST solution provides an excellent way to automate code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and accurate analysis of large and complex source code projects delivering precise results and low false positive rate.

Scalability combined with repeatability of automation provides an easy and painless way to introduce security into your DevOps for organizations ranging from small development teams up to the largest enterprises.

With DefenseCode ThunderScan SAST it is possible to scan millions of source code lines across 27 different programming languages and various programming frameworks within hours or even minutes.

With ThunderScan SAST it is very easy to meet the compliance standards requirements such as PCI-DSS, SANS/CWE Top 25, OWASP Top 10 or NIST. ThunderScan SAST easy to use and very powerful REST API  allows you to customize source code scanning and scale across large number of scanning agents. DefenseCode ThunderScan has repeatedly recognized its effectiveness by discovering critical vulnerabilities in well known open source applications.

System Requirements

Hardware & Software Requirements

Hardware requirements:
• Processor (CPU): Intel Core i7 or equivalent (4 cores/8 threads in VM terms)
• Memory: 8GB RAM
• Storage: 2GB free

Software/OS requirements:
• Microsoft Windows 10/Server 2012* and higher or modern Linux distributions
[*] Windows Server 2012 requires an Update for Universal C Runtime in Windows for the MongoDB database to run.

Supported browsers:
• Google Chrome / Chromium (Opera et al.)
• Mozilla Firefox
• Microsoft Edge
• Safari

Supported Integrations and IDE:
• TFS / VSTS (Azure DevOps) - 2013, 2015, 2017, 2018, 2019, latest preferred
• Atlassian Jira Server – 5.0 to latest (8.x.x), latest preferred
• Visual Studio – 2013 to latest, latest preferred
• Visual Studio Code, latest preferred
• Eclipse, latest preferred
• IntelliJ, latest preferred

Top Five Applications and Services SDN Support

Latest Release

E-SPIN will compile the latest release and arrange in the easy to read manner for technical users to know what changes for each build in this page.

Defensecode Thunderscan 3.1.0

2021-Aug-16

  • Added: OpenID Connect Single-Sign-On (SSO) support
  • AddedSAML Single-Sign-On (SSO) support
  • Added: Group mapping across all authentication mechanisms
  • Added: GitHub Issues support in Issue Tracking integrations
  • Added: Redmine support in Issue Tracking integrations
  • Added: Scan results filtering by input sources, sink calls and files
  • Added: Java, Ruby, Python, JavaScript, Groovy, Kotlin, Golang and PHP SAST engine improvements
  • Added: Report attachments in email notifications
  • Added: Login endpoint rate limiting configuration through environment variables
  • Added: Report (HTML/PDF) level option to exclude vulnerability data flows information
  • Added: No vulnerabilities found condition in issue tracking and notification triggers

  • Changed: Git cloning set to depth 1 (shallow clone)
  • Changed: Recipients can be set on the trigger level in email and slack notifications
  • Changed: Notification triggers are executed with credentials of a trigger creator vs scan creator
  • Changed: Optimization of analytics information retrieval
  • Changed: Enabled LDAP default role mapping configuration
  • Changed: Application metrics will only count Finished scans
  • Changed: Parent application name can be passed instead of ID in scan creating API calls

  • Fixed: Issues with schedules deletion permissions
  • Fixed: Limited list in Parent applications drop-down in New scan
  • Fixed: Ruby, Golang, Apex SAST engine issues with incremental scanning
  • Fixed: Issue tracking and notification trigger permissions
  • Fixed: Slow loading of application scans when changing pages or limits
  • Fixed: Schedules update issue with creator property invalidation causing failed scans
  • Fixed: Concurrent map write panic with IDE scans
  • Fixed: Git extraHeader Authorization fallbacks for PAT-based clones
  • Fixed: Application and schedules update issue with multi-language configurations

DefenseCode ThunderScan 3.0.10-hotfix

2021-Jun-21 3.0.10-hotfix3

  • Fixed: Issues with incremental scanning of empty projects (in terms of files related to selected languages).
  • Fixed: C# and Xamarin engine issues with incremental scans
  • Fixed: Java analysis improvements and fixes related to interfaces and generic classes
  • Fixed: Web UI usability issues related to dashboard paging (refreshing, filtering and backtracking states), chart behavior on empty results, LDAP role mapping information, Slack trigger information in scan Config overview
  • Fixed: Unavailable source code highlighting files due to symlink deletion during post-scanning file cleanup with triggered application scans
  • Fixed: Dockerfile Chromium installation change

2021-Jun-7 3.0.10-hotfix2

  • Fixed: Agent issues with shared data path storage of reports and application differential data
  • Fixed: JavaScript and TypeScript engine configuration file errors causing Web UI issues (introduced in hotfix1)
  • Fixed: C# and Xamarin engines crashing issues with incremental scans
  • Fixed: Web UI Rescan option not using the parent application ID in a new scan
  • Added: Java and JavaScript additional rules

2021-May-31 3.0.10-hotfix1

  • Added: Environment variable flag to use Git client instead of the default go-git method
  • Added: Configuration environment variables (alternative method)

  • Fixed: SSH cloning of large repositories, "use of closed network connection" issue
  • Fixed: Agent refresh state issues when used with MySQL backend
  • Fixed: Kotlin analysis framework coverage fixes
  • Fixed: JavaScript and TypeScript analysis coverage and false positive fixes
  • Fixed: API token issues with MySQL backend deployments
  • Fixed: Schedules issues where reloaded tasks after restart did not execute in order

DefenseCode ThunderScan version 3.0.9.1

## Fixed
[01/03/2021] Amazon DocumentDB support issues (failing operations due to retryWrite)
[02/03/2021] TypeScript analysis improvements

# DefenseCode ThunderScan version 3.0.9 CHANGELOG

## Added
[14/02/2021] Xamarin C# (Android & iOS) analysis support
[14/02/2021] Features enabling scan parent and visibility changes
[14/02/2021] Vulnerability suppression comments
[14/02/2021] Email support for notification purposes (Email Triggers)
[15/02/2021] Scan templates feature
[19/02/2021] Summary HTML/PDF reports
[19/02/2021] Vulnerability type coverage added to reports

## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Password length requirements on user creation
[10/02/2021] Vulnerability counts issue with false positives
[12/02/2021] ThunderScan Agent race conditions
[15/02/2021] UI User editing groups removal issue

## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
[18/02/2021] Python "Bottle" framework support and analysis improvements
[19/02/2021] Java engine analysis improvements

DefenseCode ThunderScan 3.0.10

2021-May-13

  • Added: Organization-wide Analytics dashboard and reporting
  • Added: Scan scheduling, schedule management
  • Added: SQL database support (MySQL)
  • Added: Two-way TLS authentication support
  • Added: Mercurial version control support
  • Added: Support for Git passhprase protected SSH keys
  • Added: Support for Slack notifications
  • Added: Vulnerability comments
  • Added: Go language coverage of additional vulnerability types
  • Added: Scan template support in IDE extensions
  • Added: Application editing

  • Fixed: Python engine issues related to code line numbers
  • Fixed: False positives counted in report bar charts
  • Fixed: Multiple recipients for email notifications (comma separated)
  • Fixed: Environment variable configuration issue with ThunderScan agents
  • Fixed: Scan Config tabs display issue with scans started from CLI/IDE
  • Fixed: Triggered application scans group visibility assignment
  • Fixed: Scan names column sorting issues in Web UI

DefenseCode ThunderScan version 3.0.9

## Added
[14/02/2021] Xamarin C# (Android & iOS) analysis support
[14/02/2021] Features enabling scan parent and visibility changes
[14/02/2021] Vulnerability suppression comments
[14/02/2021] Email support for notification purposes (Email Triggers)
[15/02/2021] Scan templates feature
[19/02/2021] Summary HTML/PDF reports
[19/02/2021] Vulnerability type coverage added to reports
[19/02/2021] JSON exports for scan configuration parameters and scan audit trail

## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Vulnerability counts issue with false positives
[12/02/2021] ThunderScan Agent race conditions
[15/02/2021] UI User editing groups removal issue

## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
[18/02/2021] Python "Bottle" framework support and analysis improvements
[19/02/2021] Java engine analysis improvements

DefenseCode ThunderScan version 3.0.8.1

## Fixed
[13/01/2021] TypeScript source code highlighting on Git target sources
[13/01/2021] SARIF export issues due to Custom Patterns vulnerability type
[13/01/2021] VB.Net SAST engine stalling issues
[14/01/2021] PCI DSS HTML report header titles
[14/01/2021] False positive and duplicate signature issues
[14/01/2021] Azure DevOps Issue Tracking credentials saving issue
[14/01/2021] Git SSH clone issues on very large repositories
[21/01/2021] Issues with LDAP users API tokens
[21/01/2021] Web UI LDAP Role Mapping editing role visibility issue
[21/01/2021] False positive vulnerability type marking UI issues

## Changed
[12/01/2021] C# SAST engine improvements
[14/01/2021] Dockerfile changes (jessie-slim to stretch-slim)

DefenseCode ThunderScan version 3.0.8

## Fixed
[10/11/2020] - Ruby incorrect sorting of Miscellaneous Dangerous Functions
[11/11/2020] - Web UI issues with multi-language scan configuration
[17/11/2020] - Default directory permissions on application UUID directories
[18/11/2020] - Java AES-related false positive crypto issues
[18/11/2020] - Trimming of trailing spaces in target source URLs

## Changed
[18/11/2020] - Exported report filenames now contain the name of the scan instead of ID
[18/11/2020] - Java engine improvements
[17/11/2020] - ALM Issues scan name visibility and recommended mitigation
[15/12/2020] - C/C++ engine improvements
[16/12/2020] - PHP engine analysis speed improvements
[16/12/2020] - Ruby engine improvements
[18/12/2020] - False Positive Signature improvements (disregarding lines, using snippets)

## Added
[15/11/2020] - CAPEC reports
[15/11/2020] - Scan creator username visibility on dashboard
[15/11/2020] - Scan JSON configuration review on created scans (Config tab)
[20/11/2020] - Scan action history review (Activity tab)
[30/11/2020] - Excluded vulnerability types visibility in exported HTML/PDF reports
[01/12/2020] - Jira issues additional information in the submitted content

DefenseCode ThunderScan 3.0.7

## Fixed
[12/10/2020] - Scans that break when reaching the maximum BSON document size in MongoDB of 16 megabytes
due to thousands of vulnerability results.
[16/10/2020] - PHP SAST engine issues

## Changed
[12/10/2020] - Default Swift and iOS Objective-C engine rules adjustment to lower the false positive rate
related to property lists (e.g Insufficient Transport Layer Protection for "http://www.apple.com" in standard
.plist DOCTYPE declarations)
[16/10/2020] - Java, JavaScript/Node.js, Ruby, Kotlin SAST engine improvements
[20/10/2020] - Updated node and typescript modules

## Added
[16/10/2020] - Atlassian Jira assignment and issue status
[16/10/2020] - Web User Interface administrative log management
[12/10/2020] - Automatic copy of engine debug logs on failure to ThunderScan log directory

DefenseCode ThunderScan 3.0.5

Oct 2, 2020

## Added

- Support for Kotlin language security scanning
- Regex (PCRE) based path/file exclusions

## Fixed
- API bug fixes related to uploads

## Changed
- Improvements to incremental scanning feature

## Thanks
Viktor Schneider of SEC Consult for his contribution in improving the ThunderScan solution.

E-SPIN Value Proposition

E-SPIN has actively promoted DefenseCode full range of products and technologies since 2018 as part of the company Vulnerability Management (VM) and Application Security Testing (AST) solution portfolio. E-SPIN is active in providing consulting, supply, training and maintaining DefenseCode products for the enterprise, government and military customers (or distribute and resell as part of the complete solution package) in the region E-SPIN does business. The enterprise range from university, corporate, government agencies to IT security professionals / analysts on the web application security or cyber security / cyber warfare /military defense applications or secure development or DevSecOps, CI/CD systems with static application security testing (SAST) and dynamic application security testing (DAST).

Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs.

DefenseCode ThunderScan Static Application Security Testing (SAST) is solution for performing comprehensive security inquiry of application source code. ThunderScan is accessible to use, requires almost no user input and can be expand during or after development. It is an efficient alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and
DefenseCode Webstrike Dynamic Application Security Testing (DAST) Scanner, formerly known as WebScanner before v2.0.1, is a solution for complete security audits of active web applications (websites). Active web applications (websites) are constantly exposed to malicious attacks. The best practice is to regularly use DefenseCode WebStrike solution for performing security audits of your websites. DefenseCode WebStrike
It’s time for the E-SPIN 16th anniversary celebration to begin. As per our earlier celebration opening statements, it is time for E-SPIN to giveaways for the customers in this period of time. For all the customers and business partners, please participate in this fully sponsored by E-SPIN and DefenseCode event, you are welcome to share
The world is moving toward DevSec/DevSecOps integration and automation, to speed up the workflow and speed to handle all the DevOps/DevSecOps change requests to ongoing automated triggers for application scanning, from dynamic to static. In fact, more and more large volume enterprise use cases involved setup of the DevOps/DevSecOps for continuous integration and continuous delivery
Tagged under: ,

DefenseCode for DevSecOps

DefenseCode for DevSecOps, this is a special event E-SPIN organize for business partner and end customer how DefenseCode ThunderScan SAST and WebStrike DAST can be deploy together to gain triple productive for the customer who have the two products, and how to use it accelerate your DevSecOps, secure DevOps or agile development lifecycle you are
Umbraco is an open-source content management system (CMS) platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure.  It as one of the leading .NET-based open source CMS systems. Technology wise, Umbraco is primarily written in C#, stores data in a relational database (commonly Microsoft SQL Server) and works on Microsoft IIS. Umbraco’s front-end is built upon Microsoft’s .NET
Post event video summary, spread into three video Part 1 focus on app security testing market change and challenges, cloud migration and standard, specific controls requirements Part 2 focus on the Thunderscan SAST product update. Part 3 focus on the Webstrike DAST product update. For existing and new customers and partners, it is our pleasure
This is a routine hour long technical overview, highly essential and recommended for customers,  who are considering to running Static Application Security Testing (SAST) with ThunderScan Desktop & Enterprise . The best way to ensure that your applications are free from critical vulnerabilities is to perform a comprehensive audit of application source code using ThunderScan.
At the time for this update, DefenseCode have made ThunderScan, one of the industry reputable modern static application security testing (SAST) solutions available as GitHub Action. With this new feature update, ThunderScan SAST is now offering security vulnerability analysis across 30+ languages providing detailed vulnerability reports integrated into GitHub. GitHub is a well known-developer collaboration
Tagged under:
Date: 17-Apr-2020 Dear all customer and channel partners across the region and segment, we would want to bring in your awareness that supplier DefenseCode have revamp their new website, together is the change of corporate identity where you will notice for the change in the new company logo together with the two new product line
Tagged under:

DefenseCode Product Update

After the notice of DefenseCode product update being share last week, to make it easy to explain for the new license scheme. Our officer is make the video for it, for those who prefer audio-visual and live presentation, you click on the video link (original hosted at youtube). It should help to explain the matter
Tagged under:
Use Power of Cloud to Benefit Drug Development
Dear all customer and partner, Please be noted that manufacturer had issue the early notice dated 22-Mar-2019 and to inform all their product line will subject to price rise, effectively from 1st April 2019 onward. The Dynamic Application Security Testing (DAST) product WebScanner will price rise and now remain only single install, unlimited web scan
Tagged under:
Website and Web Application Security trend
This is wide request for guiding how to generate report using DefenseCode Web Scanner. So we prepare this how to post to address those requirement. First you need to download the installer and had the license key in hand. Run the application DefenseCode Web Scanner on computer you installed. 1. After you run the Web
Micro Focus Fortify Static Code Analyzer by E-SPIN
It is very wide request and requirement for guided how to generate report from DefenseCode Thunder Scan. So we prepare this how to post to guide customer on this matter. Download the installer and had the license key in hand. Run the application DefenseCode Thunder Scan on computer you installed. 1.Go to File Manager and
Types Of Database Performance Management Software
DefenseCode WebScanner Web Application Security Scanner (DAST) is a (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. DefenseCode WebScanner can be used
E-SPIN Group of Companies Enters into Partnership with Netsparker

E-SPIN and DefenseCode

DefenseCode DefeseCode founded in 2010, provides a range of consulting and assessment services to help organizations measure their security posture and build a thorough and compliant security program to support their business strategy. Most of our clients come from the e-banking, finance, telecommunications, insurance, legal, IT and retail sectors. DefenseCode delivers products and services designed
Tagged under:
TOP