The Fedr8 Application Analysis Suite is a suite of software that provides you with a highly detailed analysis of the source code of your application. Identify exactly how and where your application integrates into other services and applications.
The Fedr8 suite of software consists of series of ‘engines’ that allow Fedr8 to forensically analyse your application. Each engine dives deeper in to the source code providing an extremely granular view of the application. To do this, Fedr8 use a mixture of established mathematical principles, proven big data analytical components and cutting edge lexical analysis developed by our data scientists.
After uploading your application in to the Fedr8 software, the various engines set to work to deconstruct your application into many, often millions of tiny pieces (tokens), essentially uncovering the DNA of your application. Each token is assigned metadata that allows us to consistently describe each component of the application in a consistent manner.
These tokens and the associated metadata then populate a complex database, against which a series of highly complex queries are performed to uncover the information detailed within this report.
The Method by which the analysis occurs is described below:
The report will provide you with a deep insight into your application and will help you answer the following questions:
- How much effort is required to migrate and integrate my application into new platforms?
- How much will it cost to migrate and integrate my application into new platforms?
- How easy is it for me to continue development and support of my application?
Furthermore, a detailed statement of work is provided within the Fedr8 software to enable accelerated digital transformation of your application. For each section Fedr8 details the exact lines of code requiring remediation which can be sorted by complexity and assigned to specific developers to enable parallel refactoring of your application with optimised resource alignment to each task.
This information can provide you with significant benefits, which include, but are not limited to:
- Accelerate digital transformation
- Reduce cost of digital transformation
- Increase your competitive advantage when acquiring software companies and assets
- Optimise your ongoing application development and management strategies
We know your code is extremely important to you and your business, and we're very protective of it. After all, Fedr8's code is hosted on Fedr8, too!
Source Code Storage
Fedr8 do not store your source in our system. As the source code is uploaded we tokenize the data and store the tokens in a data base. The tokens are not in a human readable format and cannot be reconstituted in to the original source code.
- Data center access limited to data center technicians and approved Fedr8 staff
- Biometric scanning for controlled data center access
- Security camera monitoring at all data center locations
- 24x7 onsite staff provides additional protection against unauthorized entry
- Physical security audited by an independent firm
- System installation using hardened, patched OS
- Dedicated firewall and VPN services to help block unauthorized system access
- Distributed Denial of Service (DDoS) mitigation services powered by industry-leading solutions
- Our primary data center operations are regularly audited by independent firms against an SSAE 16 SOC 1 & SSAE 16 SOC 2 Type 2 Examination standard
- Systems access logged and tracked for auditing purposes
- Secure document-destruction policies for all sensitive information
- Fully documented change-management procedures
We employ a team of 24/7/365 server specialists to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.
All private data exchanged with Fedr8 is always transmitted over SSL (which is why your dashboard is served over HTTPS, for instance). Likewise all internal communication between Fedr8 system is completed over HTTPS and authenticated with OAuth Tokens.
File system and backups
As we don’t store your data in its native format on a permanent basis we do not use any traditional file systems and as such do not need to back them up. The tokenized data we hold is within a Database Service that is replicated and backed up across multiple servers and storage systems. The databases are clustered for availability and data integrity.
No Fedr8 employees ever access private repositories unless required to for support reasons. Staff working directly in the database access the compressed database, your code is never presented as plain text files like it would be in a local clone. Support staff may sign into your account to access settings related to your support issue. It is not possible for our staff to pull a clone of your code. When working a support issue we do our best to respect your privacy as much as possible, we only access the files and settings needed to resolve your issue.
We protect your login from brute force attacks with rate limiting. Login information is always sent over SSL.
Have a question, concern, or comment about Fedr8 security? Please contact Fedr8 support.
Calculations of defect discovery and remediation
In order to calculate effort and costs of discovery and remediation, we make a number of assumptions based upon our experience in reviewing and developing code. We are also able to use data that Fedr8 Application Analysis Suite collects as the application is analysed.
We make a comparison between manual discovery which would consist of a developer manually reviewing the code, versus an automated discovery using the Fedr8 Application Analysis Suite.
Measurements in the automated discovery step give impact to subsequent defect remediation by enabling distribution of tasks and a number of developers working in parallel. The process differences and assumed resources involved are described below.
We assign different remediation velocity for each developer tier and assume fixed working hours per day to calculate total activity time as defined below. To calculate the cost of each activity we multiply the total activity duration for each developer by their individual hourly rates, sum it up and add licence costs where applicable.
|Hourly rate (fully burdened / loaded)||$46.20||$92.40||$139.20|
|Velocity (Time to remediate a single defect)||14 minutes||11 minutes||10 minutes|
|Number of working hours per day||8 hours|
The sample calculation below is based on a number of assumptions that come from data points available to us around average application sizes and average number of defects discovered etc. From these base lines we are able to provide a view around the acceleration in time and the reduction in cost of using the Fedr8's software suite.
|Average Lines of Code (LOC) per application||300000|
|Average discovery/app||45 man days|
|Average % defects identified||1%|
|Senior Dev hourly rate (loaded)||$138.99|
|Mid Dev hourly rate (loaded)||$92.60|
|Junior Dev hourly rate (loaded)||$46.37|
|Complex tasks (senior dev)||10% of defects|
|Mid Level Tasks (mid dev)||30% of defects|
|Low Level Tasks||60% of defects|
Manual Discovery Calculation
|Discovery Effort||45 days|
|Discovery Resource (Senior Dev) /hr||$139.20|
Automated Discovery Calculation
|Discovery Effort||1 day|
|Discovery Resource (Senior Dev) /hr||$139.20|
|Full Application Analysis Licence||$20,000|
Traditional Manual Remediation Calculation
|LOC requiring remediation||3000|
|Minutes per LOC||10|
|Total hours of remediation activity||500|
|Discovery Resource (Senior Dev) /hr||$139.20|
Automated Remediation Calculation
|LOC requiring remediation||3000|
|Low Level LOC||1800|
|Mid Level LOC||900|
|Complex Level LOC||300|
|Low level hours of remediation activity||420|
|Mid level hours of remediation activity||165|
|Senior level hours of remediation activity||50|
Brief overview of Fedr8's Process
The Fedr8 process can be split into a number of engines, with increasing complexity. Initially the code is run through an engine called 'Alice' , where geographic investigation is completed. A complete map of your codebase is generated from all objects/files in the scope of your root directory, all of these files are created as nodes*. Core geographic relationships are also built at this stage. Finally Alice looks for resource relationships* between nodes. These nodes and relationships are then passed to the 'Alex' engine where lexical analysis is completed and abstraction of data occurs, all script files in scope are scanned and each token is individually inspected in isolation as well as in context to the rest of the codebase. Alex then adds to the nodes as well as building new relationships. Alex also completes scans for products* and vulnerabilities. Warnings* are raised based on severity of vulnerability. A third engine 'Phil' is then passed the updated nodes and relationships and uses common queries that target the tokens as well as compound token/token meta data to scan for further vulnerabilities and data connectivity.
A token is the smallest part of your code that is available to interrogate, think of it as a single word, all tokens have abstracted metadata which is defined by Fedr8 and is used for filtering and querying token data.
Everything we analyze is a 'Node'. Generally this refers to an analyzed script. Any object inside the core/root directory is created as a node inside Fedr8, nodes have a wide range of attributes that are used to select individual groups or types for processing.
Occurs inside the 'Alice' engine, and is effectively an intelligent recursive directory scanner that captures all objects inside the root directory and performs intelligent classification as well as calculating the interconnectivity of scripts.
The process of 'dis-assembling' nodes into tokens. Occurs inside the 'Alex' engine, and is an extremely low level engine designed for interrogating each individual token* and building complex metadata around that token.
A relationship is the function by which two nodes are connected. Each node has a number of relationships that describe how it interacts with the rest of the script base, there are a range of relationship types that are used to help filter nodes for processing.
Fedr8’s Acceptable Use Policy for Fedr8 Software-as-a-Service
This Acceptable Use Policy ("Policy") outlines unacceptable use of Fedr8 Software-as-a-Service (SaaS), which interact with, or access, the Internet (the "Services"). This Policy is in addition to any other terms and conditions under which Fedr8 provides the Services to you.
Fedr8 may make reasonable modifications to this Policy from time to time by posting a new version of this document on the Fedr8 website at the current URL. Revisions are effective immediately upon posting. Accordingly, we recommend that you visit the Fedr8 website regularly to ensure that your activities conform to the most recent version.
Questions about this Policy (e.g. whether any contemplated use is permitted) and reports of violations of this Policy should be directed to email@example.com
The examples listed in this Policy are not exhaustive. Prohibited uses and activities include, without limitation, any use of the Services in a manner that, in Fedr8’s reasonable judgment, involves, facilitates, or attempts any of the following:
- violating any law of, or committing conduct that is tortuous or unlawful in, any applicable jurisdiction
- displaying, performing, sending, receiving or storing any content that is obscene, pornographic, lewd, lascivious, or excessively violent, regardless of whether the material or its dissemination is unlawful
- advocating or encouraging violence against any government, organization, group, individual or property, or providing instruction, information, or assistance in causing or carrying out such violence, regardless of whether such activity is unlawful
- accessing, sending, receiving, displaying, performing, disclosing, storing, or executing any content a) in violation of any copyright, right of publicity, patent, trademark, service mark, trade name, trade secret or other intellectual property right, b) in violation of any applicable agreement, or c) without authorization
- deleting or altering author attributions, copyright notices, or trademark notices, unless expressly permitted in writing by the owner
- obtaining unauthorized access to any system, network, service, or account
- interfering with service to any user, site, account, system, or network by use of any program, script, command, or otherwise
- introducing or activating any viruses, worms, harmful code and/or Trojan horses
- sending or posting unsolicited messages or e-mail, whether commercial or not, a) to any recipients who have requested that messages not be sent to them, or b) to a large number of recipients, including users, newsgroups, or bulletin boards, at one time
- evading spam filters, or sending or posting a message or e-mail with deceptive, absent, or forged header or sender identification information
- holding Fedr8 or its affiliates up to public scorn or ridicule and/or reselling Fedr8’s services, in whole or in part, to any entity or individual, without Fedr8’s prior written consent, or misrepresenting your relationship with Fedr8