VeriPrism - The Clean Slate Advantage

Design Points - The VeriPrism Difference

Competitors

Set up (consulting)
Parse language by language
Serial iterations PER RULE:
    Line of code > grep
    Line of code > grep
    Line of code > grep
    Line of code > grep
    Line of code > grep
× rules to grep…
× function counts…
× other analysis…

DAYS exec for ~20M lines
(on a VERY big box)

Operationalize (consulting)

VeriPrism

Point at code base
Automatically identify languages
Parse/Lex in one pass
Parallel rule scans & counts
Client-specific custom rules

~1M Lines per HOUR
(on a small 2 core 4gb AWS T3.medium box)

Operationalize = read results → act

Differentiators

  • Bootstrap funding meant we didn’t build a big staff, develop traditionally, and price accordingly
  • VeriPrism Collector is an AI replacement for Guesslang.  Collector learns languages to automate onboarding of your code
  • Rules are rules.  DevSec, CISQ, OWASP,
    even custom rules. If a rule can be logically defined, VeriPrism can handle it
  • We are happy to consult on operationalization, we consider it a failure if you need us for utilization
  • Competition considers a sample of up to ~80% code analysis to be Pareto perfect – we like “5 9’s” (99.999%)

VeriPrism – The result of deliberately not caring how it has always been done!

Security First

Customer Dedicated Secure Cloud Processing Environment

  • Complex database and code interaction requires controlled platform
  • Customer Code is protected and firewalled
  • S3 Bucket and AWS Instance are dedicated per customer
  • Only Application DNA – unreadable and nonexecutable – is analyzed
  • Source code does not persist outside S3 bucket upon completion
  • GitHub requires client transfer to S3 for security and code stability
  • Customer access is limited by unique user IAM keys
  • Access can be further controlled by permitting only specific IPs

Competitors require custodial access to client code or significant configuration to access the code.  VeriPrism simply needs to be pointed at the top level code and then will automatically analyze all source code called by the top level or subsequent levels.  Consultative configuration is typically not required.

Onboarder

Macine Learning Permits Automated Execution

Reduces Onboarding and Configuration Lead Time to Near Zero

  • Onboarder gathers from GitHub on demand or a secure AWS S3 bucket via batch or demand
  • Language is automatically identified and classified through a proprietary machine learning application then queued for analysis
  • Supports analysis from developer level modules up through full system

VeriPrism competitors require configuration at some very basic levels.  The most basic, is identifying the language to be scanned in their tools.  This not only requires manual configuration but other languages called from within a program must be handled by exception.

For years, guesslang has been used by GitHub and others to identify source code languages.  However, guesslang only covers about 20 languages and does not deal with embedded components in other languages at all.  In order to accomplish our goal of a “set and forget” tool, we had to invent something entirely new.

The VeriPrism Collector uses machine learning to identify new languages as they are encountered and pass this information along to the other VeriPrism components.  This single process automates the majority, if not all, of the complex onboarding required with other products. 

Scanner

Language Neutralization Permits Processing of Code Logic Independent of Programming Language

  • A finite and definable set of patterns is universal to all computer languages
  • Parsers exist for over 50 languages of which 6 represent 80% of code in production
  • Languages not already in VeriPrism can typically be added in less than a day
  • VeriPrism uses advanced parser/lexer implementations pushing hundreds of thousands of lines of code per hour through the sequencing process
  • Language-agnostic Application DNA™ replaces source code to enable advanced analysis and sizing

All code scanning products must parse the code and then lex the code into some analysis-ready format.  VeriPrism is no different except that we developed a proprietary approach to parsing and lexing which dramatically improves both speed and accuracy. 

VeriPrism also identifies the total line and character count of your source code and then certifies that the same has been analyzed with detailed exception reporting.

Analyzer

Analysis of Code at Compiler Level Enables 1:1 Pattern Analysis for Deterministic Results

After sequencing the code, rule patterns are matched against the code patterns in a multi-threaded, single-pass operation.

Eliminating the plain-text code searching used by other products enables superior detection accuracy with precise quality score and sizing results.

VeriPrism utilizes global standards, not algorithms, to perform measurements on the total code set including embedded code calls (e.g. SQL in Java). Just as with DNA, VeriPrism “sequences” patterns common to all computer languages to develop the analysis set.

VeriPrism has created Application DNA patterns for CISQ and other globally acknowledged software quality rules. VeriPrism compares your code patterns to rule patterns to identify problem code.

The commonly accepted method of performing these code checks has been to “grep” using known plain language problem statements.  This process is incredibly resource and time consuming.  For instance, to check 20 million lines of code through just 60 rules takes one of our competitors several days of run time.  VeriPrism accomplishes this same task in under 2 hours for all 127 current CISQ rules.

Visualizer

Unclouded by Language Syntax, Precise Matching of Rule Patterns Against Logic Becomes Possible


Deterministic Data Delivers Defensible, Repeatable Governance and Development Metrics

In a Cross-Site Scripting violation there is no security check between inputs

VeriPrism checks for valid inclusion or exclusion of patterns as defined in rules.

Once processing is complete in the Analyzer, the data is placed in a graph database for analysis.  VeriPrism adds data tags exclusive to our process to provide rich visual analysis of your code.

Punch List

  • Module # (name substitute for security)
  • Rule violated, line/column start/end
  • Sortable by rule, module, line 

Code Map

  • Module # (name substitute for security)
  • Color error map
  • HTML code view
  • Browser live or distributable file
  • Visual punch list

Scores

  • Strength of scoring system is derived from accuracy of code analysis
  • Current industry standard scoring and sizing supported as well as future metrics

 

Architecture

Advanced Analysis Enables Enhanced Efficiency in Development and Management

  • 1Q21 Roadmap feature
  • Traditional microservices mining is more art than science for selection and design
  • VeriPrism Application DNA™ and visual analysis assists selection of microservices targets
  • Rich data sources (Profilers, Errors rates) help confirm candidates
  • Automated assessment confirms code suitability, quality, and deployed savings estimates

Integrator

Advanced Analysis Enables Enhanced Efficiency in Development and Management

  • VeriPrism Structured Comments (!VSC) annotate applications in a way that enables “System of Systems” diagrams
  • VeriPrism is ready now to support CISC Software Bill of Materials (SBoM) when the standard is released
  • Enables more complete understanding of application interaction

Global Open Benchmark Survey &
Data Extract

Adding Value to DevOps Through Integration and Correlation of Data

  • Code from GitHub (both open source and opt in) analyzed
  • Client Code (opt in) analyzed during regular VeriPrism runs
  • Data stored in datamart for comparative and benchmark study
  •   Benchmarks by Language
  •   Comparison to Global or Targeted (opt in) Metrics
  • Provides framework for new rules testing and validation
  • Supports academic and commercial research into program structure
  • Hundreds of Organizations and Thousands of Programs added Monthly

The CISQ CRASH report has been a common guidepost of general code health utilizing about 20 CISQ rules across approximately 250 companies.  Only a subset of these companies are continually scanned and updated.

GOBS proposes to make this process much more robust by scanning a much larger rule set, more frequently and completely than is currently possible.  Unless a VeriPrism customer opts out, a GOBS score will be generated each time analysis is performed.  This score will be included anonymously and in aggregate to the global quality pool.  Customers who do not wish to participate in global quality benchmarking may opt out of the GOBS score calculations. (1Q21)

To maintain the integrity and accuracy of VeriPrism results, no reporting is supported off of the graph database.  We extract all relevant information to a flat file to enable ad hoc reporting in your preferred tools.