Xanitizer enables you to manage the internal security risks of your project and the external security risks which where introduced by libraries. Each finding is automatically classified according to its risk level.
- Investigate the detected issues and identify their root cause.
- Adapt classification, prioritize issues and add comments for team members.
- Specify which team member is responsible for taking care of an issue.
- Get proposals on how to fix a detected vulnerability.
- Replace external libraries with known vulnerabilities by newer versions.
- Track review state of all security issues.
- Report your security risks to supervisors, executives, stakeholders, or customers.
Compliance & Standards
Xanitizer detects more than 50 different types of vulnerabilities in Java and Scala projects. Each finding is automatically assigned to a CWE number and to common industry standards.
- Check if your project meets the leading industry standards like OWASP TOP 10 2013/2017, a list of critical security risks of web applications.
- Assign vulnerability types for supporting your own compliance requirements.
Xanitizer finds security vulnerabilities with excellent accuracy based on its static security analysis.
- Avoid to check your own project as a black box.
- Follow each control flow path automatically to analze any possible code location.
- Reduce your reviewing efforts with minimized false alarms.
- Enhance the accuracy even further by adding project specific rules.
Root Cause Analysis
Xanitizer's unique visualizations like the Smart Call Graph combined with detailed explanations allows you to identify and understand the root cause for each detected security finding. This way you can easily decide how and where to fix a vulnerability.
- Review detailed explanations regarding the root cause and the attack vector of a vulnerability.
- Visualize the flow of manipulated data from an entry point into your application to the location where harm can be caused.
- Use interactive navigation with drill-down and auto-masking to focus on a single security finding without getting lost in too much information.
- Analyze each detected security issue down to its exact source code location.
- Fix the detected vulnerabilities with the provided solution proposals.
Ad Hoc Analysis
A full security analysis is not finished in a minute. To reduce the time required for a security review, Xanitizer provides an ad hoc security analysis that lets you quickly check for vulnerabilities connected with an interactively defined start or end point.
- Run a "What If" analysis to check if any harm might be caused if a certain local variable is tainted or if a certain location could be reached by tainted data.
- Validate the effect of your code and configuration changes.
Xanitizer is designed to become an essential part of your software development life cycle (SDLC) and to let you fully automate the security analysis process.
- Detect vulnerabilies already in the implementation phase of your SDLC to reduce the neccessary effort to fix it.
- Integrate Xanitizer easily with all build management servers.
- Analyze code changes in the continuous integration build and prevent that new code introduces new vulnerabilities even if you don't have a runnable application.
- Continuously monitor your security enhancements.
- Report your results to supervisors, executives, stakeholders, or customers.
Xanitizer provides several options to monitor your security enhancements on a high level.
- Visualize the trend of your security level by using Xanitizer's dashboard.
- Integrate it into the code quality management platform SonarQube and the vulnerability assessment collaboration tool Jackhammer.
- Ensure that your team takes care of existing security vulnerabilities.
- Report your trend to supervisors, executives, stakeholders, or customers.
Xanitizer has an integrated reporting engine with predefined and adaptable report templates.
- Document the results of your security analysis.
- Demonstrate the benefit of your security enhancements to supervisors, executives, stakeholders, or customers.
- Support your developers by exporting a very detailed report containing all relevant information for a single finding to fix the vulnerability.
- Adapt the report templates to meet your requirements.
Xanitizer finds vulnerabilities in your software out-of-the-box. But you can also adapt Xanitizer to meet your specific requirements.
- Enable or disable vulnerability types to create security profiles that are specific for your project or company.
- Adapt the categorization of vulnerability types to support your own compliance requirements.
- Extend the predefined rule configurations or create your own rules for application specific security requirements.
- Enhance Xanitizer to support further application specific frameworks.
- Adapt report templates to meet your requirements.
User specific adaptations are also provided as a service.